Conclusion
-
su(1), newrole(1) and sudo(1) support the specification of a command to run in a new security context, before authentication for that new security context has been completed
-
This can be abused to escalate privileges
-
A proof of concept, using ptrace(2), will be demonstrated
-
A proof of concept, using LD_PRELOAD, will be demonstrated