Subject: Re: sysctl knob to let sugid processes dump core (pr 15994)
To: None <joerg@britannica.bec.de>
From: Garrett D'Amore <garrett_damore@tadpole.com>
List: tech-kern
Date: 01/13/2006 12:34:28
joerg@britannica.bec.de wrote:
>On Fri, Jan 13, 2006 at 11:16:43AM -0800, Garrett D'Amore wrote:
>
>
>>Here's the scenario I see, and it should be thought out:
>>
>>
>
>Yes, this is very similiar to what I had in mind.
>
>
>
>>Imagine this attack: malicious user drops in a symlink from /var/core to
>>/. Site doesn't use this for many months, but then either turns this
>>feature on, or perhaps the first core dump occurs many months later.
>>The process of dumping core now clobbers the root filesystem, and I have
>>a major outage.
>>
>>
>
>Coredumps don't follow symlinks, we would have enough problems already
>otherwise. Second, I did ask for a default directory for those coredumps
>exactly to prevent such problems. Setuid-root programs (just like
>root programs) could coredump everywhere, it makes sense to redirect
>that output. The uid of the output just makes it easier to limit disk
>usage, esp. when /var/core [to use your example] is not a separate
>filesystem.
>
>
>
I didn't know that core dumps don't follow symlinks. If this will be
true for the parent directory (or the default directory) as well, then
I'm happy with the current proposal and consider my objections satisfied.
The disk quota point you make is a good one. Probably the effective
uid/gid is the right answer.
-- Garrett
>Joerg
>
>
--
Garrett D'Amore http://www.tadpolecomputer.com/
Sr. Staff Engineer Extending the Power of 64-bit UNIX Computing
Tadpole Computer, Inc. Phone: (951) 325-2134