> A poster mentioned here the chfn could be used to hose a linux box.
> He didn't say, but it looked like one could hose the system by
> killing/suspending chfn right after opening /etc/passwd in truncate
> mode. I ran a trace on chfn.
This problem affects kill in general. The kernel allows a process
to send a signal to another process as long as the _sending_ process's
euid matches the signalled process's effective or real uid (cf.
kill_prog in kernel/exit.c).
I believe this should be the other way round. Quoting from the HP
kill(2) manpage: ``The real or effective uid of the sending process
must match the real or saved uid of the receiving process, unless the
effective uid of the sending process is super-user.'' However, a comment
in Lewine's POSIX book says that killing another process is also allowed
when its ruid matches...
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.