bug in /sbin/ps on sunos5.4 ?

[avalon () COOMBS ANU EDU AU (Darren Reed)]

or is it /usr/bin/ps...

anyway, has anyone worked out whether or not it is possible to exploit
the race condition in /bin/ps if /tmp/ps_data is missing ?

...if you want the details, just goto any system you're root on which
is solris2, rm /tmp/ps_data and do "truss ps >&/tmp/foo" and look through
/tmp/foo for a chown.  It looks possible, but not easy.

of course it is really only a problem when /tmp is rwxrwxrwx (which is
pretty common with /tmp mounting from swapfs and no chmod in any /etc/rc
scripts).

the fix is to chmod +t /tmp and put that in the rc script which mounts
/tmp (after /tmp is mounted) and make sure root owns /tmp/ps_data :)

darren