Re: [PATCH] coredump - as root not only if euid switched

[Peter Wächtler]

Am Fr, 2004-04-23 um 17.35 schrieb Albert Cahalan:
> > While it's more secure to not dump core at all if the
> > program has switched euid, it's also very unpractical.
> > Since only programs started from root, being setuid
> > root or have CAP_SETUID it's far more practical to
> > dump as root.root mode 600. This is the bahavior 
> > of Solaris.
> 
> Solaris can keep their security holes.
> 

I checked (older) versions on

HP-UX, True64, AiX, MacOsX

HP-UX didn't dump core on a seteuid 0->n prog
Aix,MacOsX and True64 dumped core with ownership of user
I could check Irix

> Consider a setuid core dump on removable media which
> is user-controlled.
> 

boot into rescue system...

> Also consider filesystems that don't store full security
> data, like vfat and smb/cifs.
> 
> Core dumps to remote filesystems are a problem in
> general, because the server might not implement the
> type of security you expect it to implement.
> 

mkdir /var/cores
chmod a+rwx,o+t /var/cores
echo /var/cores/%e.core.%p > /proc/sys/kernel/core_pattern

> 
> Here's a better idea: add a sysctl for insecure core
> dumps. When set, dump all cores as root.root mode 444.
> Ignore directory permissions when doing so, so that
> forcing dumps into a MacOS-style /cores directory does
> not require that users be able to access it normally.
> This lets appropriately authorized users debug setuid
> apps and get support for them without adding security
> holes like Solaris has.

It's tunable via coreadm

troll, troll


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/