On Thu, May 23, 2013 at 9:43 AM, Michael ODonnell < michael.odonn...@comcast.net> wrote:
> > > > A subdir in /tmp can certainly have my ownership and permissions. > > And I guess they can't delete the directory because it isn't > > empty, but with permissions on the parent directory, can't they > > move it? > > Picky, picky, picky. Well, for completeness I suppose we should > mention the "deleted file" trick (not necessarily better than your > flock trick) where your app creates its secret-squirrel file in > /tmp and then deletes it while holding it open. (This trick is > popular with malware eg. the Flash plugin) > > Your confederates can identify likely instances of your app using > ps and then verify by reading the secret-squirrel file via the > symlinked handle in /proc/$yourPIDhere/fd. Since the file has > no directory entry it can't be deleted by friend or foe and only > those with appropriate privileges can access it as described, > and all traces vanish upon process termination. > Has /proc become POSIX, or are we drifting into the Linux specific here? > > Example: > > # echo HiMom > /tmp/SecretSquirrelFile > > # sleep 1000 < /tmp/SecretSquirrelFile & > [2] 29570 > > # rm /tmp/SecretSquirrelFile > > # ls -laF /tmp/SecretSquirrelFile > ls: cannot access /tmp/SecretSquirrelFile: No such file or directory > > # ls -laF /proc/$(pidof sleep)/fd > total 0 > dr-x------ 2 mod mod 0 May 23 08:58 ./ > dr-xr-xr-x 8 mod mod 0 May 23 08:57 ../ > lr-x------ 1 mod mod 64 May 23 08:58 0 -> /tmp/SecretSquirrelFile > (deleted) > lrwx------ 1 mod mod 64 May 23 08:58 1 -> /dev/pts/0 > lrwx------ 1 mod mod 64 May 23 08:58 2 -> /dev/pts/0 > > # readlink /proc/$(pidof sleep)/fd/0 > /tmp/SecretSquirrelFile (deleted) > > # cat /proc/$(pidof sleep)/fd/0 > HiMom > > > Certainly nifty enough. Bill
_______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
