Path: csiph.com!weretis.net!feeder9.news.weretis.net!panix!.POSTED.2602:f977:0:1::3!not-for-mail
From: pa@see.signature.invalid (Pierre Asselin)
Newsgroups: comp.os.linux.misc
Subject: Re: copy.fail
Date: Sun, 3 May 2026 18:11:30 -0000 (UTC)
Organization: PANIX Public Access Internet and UNIX, NYC
Message-ID: <10t834i$dlm$1@reader1.panix.com>
References: <eli$2604300130@qaz.wtf> <10t09ci$3mbqc$1@news.xmission.com> <10t228c$17p94$1@news1.tnib.de> <wwv340bcbzf.fsf@LkoBDZeT.terraraq.uk> <10t4jl1$3ume2$1@news.xmission.com> <wwvfr49mpv3.fsf@LkoBDZeT.terraraq.uk>
Injection-Date: Sun, 3 May 2026 18:11:30 -0000 (UTC)
Injection-Info: reader1.panix.com; posting-host="2602:f977:0:1::3"; logging-data="14006"; mail-complaints-to="abuse@panix.com"
User-Agent: tin/2.6.4-20241224 ("Helmsdale") (NetBSD/10.1 (amd64))
Xref: csiph.com comp.os.linux.misc:86114

Richard Kettlewell <invalid@invalid.invalid> wrote:
> [ ... ]
> Stopping unprivileged users getting a file descriptor onto anything that
> might be executing, or executed, with different credentials would reduce
> risk by excluding all attacks that depended somehow on getting a file
> descriptor onto the target file. As already noted there?s a problem with
> shared libraries.

That doesn't solve anything. Letting an unprivileged user modify
the cached copy of files is BAAAAD. It doesn't have to be executable
code. /etc/passwd would be a good one, poke zeros in your uid:gid
fields, log out, log back in.

Even without privilege escalation, corrupting (cached copies of) random
files can wreak havoc.