Re: [PATCH] coredump - as root not only if euid switched

From: Albert Cahalan
Date: Fri Apr 23 2004 - 14:45:44 EST

Next message: Greg KH: "Re: [OOPS/HACK] atmel_cs and the latest changes in sysfs/symlink.c"
Previous message: Ian Stirling: "ITE8212 - SMART with RAID card."
In reply to: Peter Wächtler: "Re: [PATCH] coredump - as root not only if euid switched"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2004-04-23 at 15:14, Peter Wächtler wrote:
> Am Fr, 2004-04-23 um 17.35 schrieb Albert Cahalan:
> > > While it's more secure to not dump core at all if the
> > > program has switched euid, it's also very unpractical.
> > > Since only programs started from root, being setuid
> > > root or have CAP_SETUID it's far more practical to
> > > dump as root.root mode 600. This is the bahavior
> > > of Solaris.
> >
> > Solaris can keep their security holes.
> >
>
> I checked (older) versions on
>
> HP-UX, True64, AiX, MacOsX
>
> HP-UX didn't dump core on a seteuid 0->n prog
> Aix,MacOsX and True64 dumped core with ownership of user
> I could check Irix

It would be nice of you to do so, then issue some
sort of security alert.

> > Consider a setuid core dump on removable media which
> > is user-controlled.
>
> boot into rescue system...

If you're suggesting that user-controlled media implies
the ability to boot via that media, you're very wrong.

a. LinuxBIOS
b. OpenFirmware (Mac or Sun) with boot password
c. no floppy, and a Zip drive on BIOS-disabled SCSI
d. parallel port Zip drive
e. FireWire w/o BIOS support

(the "rip computer open" option is either physically
blocked or there is a human nearby that would notice)

> > Also consider filesystems that don't store full security
> > data, like vfat and smb/cifs.
> >
> > Core dumps to remote filesystems are a problem in
> > general, because the server might not implement the
> > type of security you expect it to implement.
> >
>
> mkdir /var/cores
> chmod a+rwx,o+t /var/cores
> echo /var/cores/%e.core.%p > /proc/sys/kernel/core_pattern

Sure, but you shouldn't assume that all admins know
to do this. The default must be secure.

> > Here's a better idea: add a sysctl for insecure core
> > dumps. When set, dump all cores as root.root mode 444.
> > Ignore directory permissions when doing so, so that
> > forcing dumps into a MacOS-style /cores directory does
> > not require that users be able to access it normally.
> > This lets appropriately authorized users debug setuid
> > apps and get support for them without adding security
> > holes like Solaris has.
>
> It's tunable via coreadm
>
> troll, troll

You said "This is the bahavior of Solaris." and I took
that for the truth. Now you say it's tunable. Well, OK
then, so Solaris _doesn't_ have an insecure config as
it comes from Sun? I have no problem with supporting an
insecure config, but you were suggesting that it would
be the new default (and only) behavior.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "Re: [OOPS/HACK] atmel_cs and the latest changes in sysfs/symlink.c"
Previous message: Ian Stirling: "ITE8212 - SMART with RAID card."
In reply to: Peter Wächtler: "Re: [PATCH] coredump - as root not only if euid switched"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]