by redmail.netbsd.org with SMTP; 27 Aug 1999 15:02:04 -0000
	by antioche.lip6.fr (8.9.3/8.9.3) with ESMTP id RAA06612;
	Fri, 27 Aug 1999 17:02:02 +0200 (MEST)
Date: Fri, 27 Aug 1999 17:02:01 +0200
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
To: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Cc: "Todd C. Miller" <Todd.Miller@courtesan.com>, tech-security@netbsd.org
Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot]
Message-ID: <19990827170201.A4793@antioche.lip6.fr>
References: <Todd.Miller@courtesan.com> <199908271457.OAA19930@orchard.arlington.ma.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <199908271457.OAA19930@orchard.arlington.ma.us>; from Bill Sommerfeld on Fri, Aug 27, 1999 at 10:57:54AM -0400

On Fri, Aug 27, 1999 at 10:57:54AM -0400, Bill Sommerfeld wrote:
> I think coredumps through symlinks are dangerous in general and should
> just be disabled.

I'd prefer we'd go this way too.

> 
> IMHO what the folks creating symlinks to not send their coredumps into
> NFS "really" want is a per-process inherited attribute which i'll call
> the "core filename format".
> 
> Currently it's "%n.core"
> 
> reasonable things might be:
> 
> 	format chars:
> 		n:	program name
> 		p:	process id
> 		u:	user login name (as set by setlogin(2)), ...
> 
> Implementing this seems like a reasonable afternoon project and
> doesn't seem fraught with risk like the "check owner of symlink" thing
> would be..

More work than I want to put into this, but sounds nice :)

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--