Comments by "LoneTech" (@0LoneTech) on "PwnFunction" channel.

  1. It isn't even a coherent sentence, let alone an argument.
    2
  2. If you're talking about /proc/N/fd, as shown in this video, the file handle itself isn't exposed, only information about it (its number and opened path). The & redirection accessed a file descriptor in the shell it was used in. Additionally, there are permissions on /proc so you can't see this information for other users.
    2
  3.  @dmitryincog7455  s/terminal/shell/
    1
  4. Not mentioning close on exec, the specific mitigation for the demonstrated issue, is a serious oversight.
    1
  5. There's a close on exec flag (CLOEXEC) you can set using open() or fcntl() to avoid this issue. Another common bug is leaving the last written data in buffers due to not flushing or closing files, leading to corruption if the program doesn't finish cleanly.
    1
  6. In effect yes. File descriptors are a limited resource both per process and system.
    1
  7. /proc shows a symbolic link with the name the descriptor was opened to. That name may be gone or restricted (e.g. anonymous pipes have no name to be found by, or a file could be renamed or deleted). File descriptors can be cloned across processes through unix sockets with ioctl sendfd, or you could attach as a debugger to control another process with ptrace.
    1