Re: solaris 2.4 license-manager bug

[Heiko.Herold () dei unipd it (Herold Heiko)]

> > Another bug for solaris 2.4
> > The license manager must be running, expect both
> > lmgrd.ste & suntechd to be somewhere in your process table.

...

> Some observations ...
>
> Lock files are created by the lmgrd process for each license daemon
> process it manages when it starts. These lock files are generally owned
> by root, the id under which they were started. If the sticky bit is set
> on the /var/tmp directory, no normal user will be able to remove the
> lock file, thus breaking step 1 of the exploit.
>
> Perhaps there is a window of opportunity if you can create the symbolic

and there is another possibility if root install some program in order
to automtically clean old files from /tmp, /var/tmp and does not pay
attention to root files and such.


--
--- hman () dei unipd it --- Heiko Herold --- Ankh-Morpork had dallied
with many forms of government and had ended up with that form of
democracy known as One Man, One Vote. The Patrician was the Man; he
had the Vote. -- Discworld politics explained  (Terry Pratchett, Mort)