Subject: sysctl knob to let sugid processes dump core (pr 15994)
To: None <tech-kern@netbsd.org, tech-security@NetBSD.org>
From: Elad Efrat <elad@NetBSD.org>
List: tech-security
Date: 01/13/2006 15:31:02
This is a multi-part message in MIME format.
--------------010806000106060305030102
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Hi,
PR 15994 suggests a sysctl knob to allow set-id processes dump
core. This is a security risk, but may be useful (as the PR
notes) on machines used for debugging.
Attached is a patch very similar to the one in the PR only that
it uses sysctl(9). It adds a security.sugid_coredump knob, default
off, and notes the security risk in the sysctl(3) man-page.
If this is not a welcome change, please state so and I'll close
the PR. However, if it is, I know some people suggested having
the knob work with specific care of the system securelevel, such
as not allowing this knob to be used on securelevel > 1.
Please voice your opinion on what the wanted behavior is, if at
all, and I'll take care of the code/PR.
-e.
--
Elad Efrat
--------------010806000106060305030102
Content-Type: text/plain;
name="sugid_coredump.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="sugid_coredump.diff"
Index: lib/libc/gen/sysctl.3
===================================================================
RCS file: /cvsroot/src/lib/libc/gen/sysctl.3,v
retrieving revision 1.159
diff -u -p -r1.159 sysctl.3
--- lib/libc/gen/sysctl.3 1 Dec 2005 18:08:10 -0000 1.159
+++ lib/libc/gen/sysctl.3 13 Jan 2006 13:21:31 -0000
@@ -29,7 +29,7 @@
.\"
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95
.\"
-.Dd December 1, 2005
+.Dd January 13, 2006
.Dt SYSCTL 3
.Os
.Sh NAME
@@ -1878,9 +1878,10 @@ for more details.
.Sh CTL_SECURITY
The security level contains various security-related settings for
the system. Available settings are detailed below.
-.Bl -column "SECURITY_CURTAIN" "integerXXX" -offset indent
+.Bl -column "SECURITYXSUGIDCOREDUMP" "integerXXX" -offset indent
.It Sy Second level name Type Changeable
.It SECURITY_CURTAIN integer yes
+.It SECURITY_SUGIDCOREDUMP integer yes
.El
.Pp
.Bl -tag -width "123456"
@@ -1899,6 +1900,10 @@ and
.Dv PF_UNIX
PCBs), and
.Xr w 1 .
+.It Li SECURITY_SUGIDCOREDUMP
+If non-zero, set-user-id and set-group-id processes will dump core
+on segfault. Because this is a security risk, the default behavior
+is to not dump core when such a process segfaults.
.El
.Sh CTL_VENDOR
The "vendor" toplevel name is reserved to be used by vendors who wish to
Index: sbin/sysctl/sysctl.8
===================================================================
RCS file: /cvsroot/src/sbin/sysctl/sysctl.8,v
retrieving revision 1.134
diff -u -p -r1.134 sysctl.8
--- sbin/sysctl/sysctl.8 21 Dec 2005 12:21:06 -0000 1.134
+++ sbin/sysctl/sysctl.8 13 Jan 2006 13:21:32 -0000
@@ -61,7 +61,7 @@
.\"
.\" @(#)sysctl.8 8.1 (Berkeley) 6/6/93
.\"
-.Dd December 21, 2005
+.Dd January 13, 2006
.Dt SYSCTL 8
.Os
.Sh NAME
@@ -512,6 +512,7 @@ privilege can change the value.
.It proc.\*[Lt]pid\*[Gt].stopexec int yes
.It proc.\*[Lt]pid\*[Gt].stopfork int yes
.It security.curtain integer yes
+.It security.sugid_coredump integer yes
.It user.bc_base_max integer no
.It user.bc_dim_max integer no
.It user.bc_scale_max integer no
Index: sys/kern/init_sysctl.c
===================================================================
RCS file: /cvsroot/src/sys/kern/init_sysctl.c,v
retrieving revision 1.59
diff -u -p -r1.59 init_sysctl.c
--- sys/kern/init_sysctl.c 26 Dec 2005 18:45:27 -0000 1.59
+++ sys/kern/init_sysctl.c 13 Jan 2006 13:21:36 -0000
@@ -92,6 +92,7 @@ __KERNEL_RCSID(0, "$NetBSD: init_sysctl.
/* XXX this should not be here */
int security_curtain = 0;
+int security_sugid_coredump = 0;
/*
* try over estimating by 5 procs/lwps
@@ -1028,6 +1029,13 @@ SYSCTL_SETUP(sysctl_security_setup, "sys
" to users not owning them."),
NULL, 0, &security_curtain, 0,
CTL_SECURITY, SECURITY_CURTAIN, CTL_EOL);
+ sysctl_createv(clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "sugid_coredump",
+ SYSCTL_DESCR("Set-user-id and set-group-id programs"
+ " will dump core on segfault."),
+ NULL, 0, &security_sugid_coredump, 0,
+ CTL_SECURITY, SECURITY_SUGIDCOREDUMP, CTL_EOL);
}
/*
Index: sys/kern/kern_sig.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_sig.c,v
retrieving revision 1.213
diff -u -p -r1.213 kern_sig.c
--- sys/kern/kern_sig.c 24 Dec 2005 19:12:23 -0000 1.213
+++ sys/kern/kern_sig.c 13 Jan 2006 13:21:40 -0000
@@ -70,6 +70,7 @@ __KERNEL_RCSID(0, "$NetBSD: kern_sig.c,v
#include <sys/sa.h>
#include <sys/savar.h>
#include <sys/exec.h>
+#include <sys/sysctl.h>
#include <sys/mount.h>
#include <sys/syscallargs.h>
@@ -2103,7 +2104,7 @@ coredump(struct lwp *l, const char *patt
/*
* Make sure the process has not set-id, to prevent data leaks.
*/
- if (p->p_flag & P_SUGID)
+ if (!security_sugid_coredump && p->p_flag & P_SUGID)
return (EPERM);
/*
Index: sys/sys/sysctl.h
===================================================================
RCS file: /cvsroot/src/sys/sys/sysctl.h,v
retrieving revision 1.145
diff -u -p -r1.145 sysctl.h
--- sys/sys/sysctl.h 28 Dec 2005 19:09:30 -0000 1.145
+++ sys/sys/sysctl.h 13 Jan 2006 13:21:45 -0000
@@ -902,15 +902,18 @@ struct kinfo_file {
* CTL_SECURITY definitions.
*/
#define SECURITY_CURTAIN 1
-#define SECURITY_MAXID 2
+#define SECURITY_SUGIDCOREDUMP 2
+#define SECURITY_MAXID 3
#define CTL_SECURITY_NAMES { \
{ 0, 0 }, \
{ "curtain", CTLTYPE_INT }, \
+ { "sugid_coredump", CTLTYPE_INT }, \
}
/* XXX this should not be here */
extern int security_curtain;
+extern int security_sugid_coredump;
#ifdef _KERNEL
--------------010806000106060305030102--