A kernel security hole
Posted Jan 18, 2008 21:40 UTC (Fri) by giraffedata
In reply to: A kernel security hole
Parent article: A kernel security hole
Then unlink() that copy, and the link count will fall to zero, leading to /etc/passwd being
unlinked. It's not open all the time, so this now leads to /etc/passwd's blocks being freed.
It doesn't unlink /etc/passwd (and that's the problem). What it does is delete the password file. /etc/passwd now points to a ghost inode.
So what you want to do to exploit this is create files until one happens to get that inode slot (i.e. inode number). Now you own the password file.
to post comments)