Subject: Re: coredump following symlinks
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
From: Robert Elz <kre@munnari.OZ.AU>
List: tech-kern
Date: 08/27/1999 21:00:38
Date: Fri, 27 Aug 1999 12:36:09 +0200
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
Message-ID: <19990827123609.A359@antioche.lip6.fr>
| For security reasons (see tech-security, it's possible to create or ovveride
| a file using a bug in find and symbolic links), I'd like to prevent core
| dumps from following symlinks or overrinding existing files.
From following symlinks (if the core file name is a symlink), that's
reasonable - from overwriting existing files, that's not, nor is it
really necessary.
In particular, if you're using short core names ("core") it isn't really
reasonable to not have a process leave a core dump, just because some other
did, some time in the past, which hasn't been deleted.
I think that all the security problems can be avoided if you just never
write onto a file name which is a symlink, and never write on a file which
has more than one link. Neither of those is likely to bother any normal
use of core files, so would be reasonable restrictions. Requiring
"rm core" before running any command, just in case that command would
have liked to dump core, isn't reasonable.
kre