Re: Ayyy LMAO
It's the correct behaviour. Read the flaw description:
DYLD_PRINT_TO_FILE opens another file descriptor for the given target *and doesn't close it afterwards* so leaks it to the subshell.
As for why it works, just try these:
echo id | newgrp
echo 'echo $HOME' | newgrp
(these work on Linux too, by the way).
* newgrp starts a shell (see 'man newgrp')
* the shell detects it's not connected to a tty, so runs in non-interactive mode (see 'man bash')
* in non-interactive mode, it reads and processes commands on stdin then terminates
The reason for using 'newgrp' in this context is because it's a setuid binary, so runs with root privileges. Of course it drops them by the time the shell is run, but by then it's too late: the DYLD_PRINT_TO_FILE feature of the dynamic linker has already opened the file, and left the open file descriptor around for the child shell to consume (as file descriptor 3, since 0-2 were already in use as stdin/stdout/stderr)