Pekka Enberg <penberg@xxxxxxxxxxxxxx> wrote: > On Thu, 2006-07-27 at 20:06 +0200, Petr Baudis wrote: > > Make that setuid root or just create log file owned by you and make root > > run it. Should be innocent enough, right? > > > > Well, except that you can revoke the log file before the shadow file is > > opened, at which point open() probably reuses the fd and the program > > conveniently logs to /etc/shadow. > No, the fd is leaked on purpose to avoid recycling. See revoke_fds for > details. Doesn't that violate a POSIX guarantee that the lowest unused fd is returned? If the leakage lasts "long enough", this gives an opportunity of a nice DoS by using up fds... -- Dr. Horst H. von Brand User #22616 counter.li.org Departamento de Informatica Fono: +56 32 654431 Universidad Tecnica Federico Santa Maria +56 32 654239 Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513 - To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
