OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: Symlinks and Cryogenic Sleep

Re: Symlinks and Cryogenic Sleep

Subject: Re: Symlinks and Cryogenic Sleep
From: John Cochran (jdcFIAWOL.ORG)
Date: Tue Jan 04 2000 - 14:46:19 CST

der Mouse <mouseRODENTS.MONTREAL.QC.CA> wrote:

> > [symlink-paranoia code]
>
> > However, consider an average setuid root application, [...]. When
> > the application reaches the critical section of code between the
> > lstat and the open, you stop it by sending it a SIGSTOP.
>
> If you can send it a SIGSTOP, either you're running as root (in which
> case you don't *need* to play with symlink races), the application is
> running as you (in which case breaking it buys you nothing), or signal
> delivery is critically broken.
>
> In fact, I suspect that any process you can SIGSTOP, you can attach to
> with ptrace and do whatever you want without need for subtrefuge.

Script started on Tue Jan 4 15:40:55 2000
bash-2.02$ ls -l ./slow
-rwsr-xr-x 1 root nogroup 3170 Jan 4 15:36 ./slow
bash-2.02$ whoami
jdc
bash-2.02$ ./slow &
[1] 68416
bash-2.02$ ps -up 68416
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 68416 0.0 0.2 752 248 p1 S 3:41PM 0:00.01 ./slow
bash-2.02$ kill -STOP 68416

[1]+ Stopped ./slow
bash-2.02$ kill -CONT 68416
bash-2.02$ ps -up 68416
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 68416 0.0 0.2 752 248 p1 S 3:41PM 0:00.01 ./slow
bash-2.02$ kill -9 68416
[1]+ Killed ./slow
bash-2.02$ exit
exit

Script done on Tue Jan 4 15:42:06 2000

This archive was generated by hypermail 2b27 : Wed Jan 05 2000 - 13:15:11 CST