A pargraph from https://lwn.net/Articles/531381/
"Another possibility is that a set-user-ID application might be using the hostname as part of the name of a lock file. If an unprivileged user could run the application in a UTS namespace with an arbitrary hostname, this would open the application to various attacks. Most simply, this would nullify the effect of the lock file, triggering misbehavior in instances of the application that run in different UTS namespaces. Alternatively, a malicious user could run a set-user-ID application in a UTS namespace with a hostname that causes creation of the lock file to overwrite an important file. (Hostname strings can contain arbitrary characters, including slashes.)"
I am not sure about what lock file is the article referring to and how can this be abused by changing hostname. Any one can elaborate?
答案1
If a program wibble
creates a lockfile using the name /var/lock/wibble.lock-$(hostname)
and you change the change the hostname from my-laptop
to /../../../etc/password
and the program writes something in it (for example the PID), then you can destroy your password database (depending on how paths are normalized).