In Linux, every process holds its own file descriptor table, which keeps references to all opened files and file-like devices. This table is managed by the kernel.
Is it possible that a non-privileged user modifies a file descriptor in the file descriptor table of an elevated process so that the file descriptor points to another file?
A Practical Example
Process 1000 runs as root
and reads continuously from FD 0 (stdin
) to FD 1 (stdout
). Process 1001 runs as eve
and wants to modify the file descriptor table of PID 1000 so that FD 1 points to /etc/sudoers
instead.
Is this possible?