but assuming you have multiple users on your system, how do you
propose that a target be tricked into cd'ing into a trojaned directory
and attempt to execute the magic command. what would this trojaned
command do? without setuid (or a superuser), the options are more
constrained.
How about forking off a server process that lets me execute arbitrary
commands as you?
How about placing trojan processes in your person bin directory?
How about subtly corrupting all of the writable data in your filesystem?
How about setting up a spam bot on your machine? Using your machine as
part of a distributed denial-of-service attack against some other
networked machines?
How about replacing your compiler with one that introduces errors
nondeterministically? Changing your acme to occasionally not save your
data?
If you sit down and think of it for a little bit you'll notice this is
just the tip of the iceburg. There are lots of irritating things that can
happen even without setuid or a super user.
- erik
Tim Newsham
http://www.thenewsh.com/~newsham/
