Re: [PATCH] coredump - as root not only if euid switched

[Peter Waechtler]

On Thursday, April 22, 2004, at 03:18AM, Andrew Morton <akpm@xxxxxxxx> wrote:

>Peter W�chtler <pwaechtler@xxxxxxx> wrote:
>>
>> While it's more secure to not dump core at all if the program has
>>  switched euid, it's also very unpractical. Since only programs 
>>  started from root, being setuid root or have CAP_SETUID it's far 
>>  more practical to dump as root.root mode 600. This is the bahavior 
>>  of Solaris.
>> 
>>  The current implementation does not ensure that an existing core
>>  file is only readable as root, i.e. after dumping the ownership 
>>  and mode is unchanged.
>> 
>>  Besides mm->dumpable to avoid recursive core dumps, on setuid files 
>>  the dumpable flag still prevents a core dump while seteuid & co will
>>  result in a core only readable as root.
>
>It's a bit sad to add another function call level to sys_unlink() simply
>because the core dumping code needs it.
>
>Is it not possible to call sys_unlink() directly from there?  Something like
>
>long kernel_unlink(const char *name)
>{
>	mm_segment_t old_fs = get_fs();
>	long ret;
>
>	set_fs(KERNEL_DS);
>	ret = sys_unlink(name);
>	set_fs(old_fs);
>	return ret;
>}	

And you're asking me? ;)
While getname() has a check for user/kernelspace - do you really
care about "the overhead" for a function call level with 1 argument?
Uhm, probably if you even care to write this..

What is the cost for switching the segments?
But I agree that sys_unlink should be the fast call and dumping core
is the exception :)

would fastcall do_unlink() help? I guess the arg is then passed in a
register


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/