Subject: Re: sysctl knob to let sugid processes dump core (pr 15994)
To: None <tech-security@NetBSD.org>
From: Elad Efrat <elad@NetBSD.org>
List: tech-security
Date: 01/23/2006 19:35:01
This is a multi-part message in MIME format.
--------------010205040606050002070706
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Okay here's a newer patch..
phyre:elad {47} sysctl security.setid_core
security.setid_core.dump = 0
security.setid_core.path = /var/crash/%n.core
security.setid_core.owner = 0
security.setid_core.group = 0
security.setid_core.mode = 384
phyre:elad {48}
When dump is 1 set-id coredumps are enabled.
Path is where they will be saved. It works *exactly* like
kern.defcorename as Bill suggested, but affects only the set-id
dumps.
Owner and group are obvious, mode is *octal* (I'll add sysctl support
for an octal printing flag like CTLFLAG_HEX).
Defaults are dump=0, path=/var/crash/%n.core (we can add /var/core),
owner=0, group=0, and mode=600.
Comments?
-e.
--
Elad Efrat
--------------010205040606050002070706
Content-Type: text/plain;
name="setid_core.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="setid_core.diff"
Index: kern/init_sysctl.c
===================================================================
RCS file: /cvsroot/src/sys/kern/init_sysctl.c,v
retrieving revision 1.59
diff -u -p -r1.59 init_sysctl.c
--- kern/init_sysctl.c 26 Dec 2005 18:45:27 -0000 1.59
+++ kern/init_sysctl.c 21 Jan 2006 19:43:55 -0000
@@ -92,6 +92,11 @@ __KERNEL_RCSID(0, "$NetBSD: init_sysctl.
/* XXX this should not be here */
int security_curtain = 0;
+int security_setidcore_dump;
+char security_setidcore_path[MAXPATHLEN] = "/var/crash/%n.core";
+uid_t security_setidcore_owner = 0;
+gid_t security_setidcore_group = 0;
+mode_t security_setidcore_mode = 0600;
/*
* try over estimating by 5 procs/lwps
@@ -1028,6 +1033,44 @@ SYSCTL_SETUP(sysctl_security_setup, "sys
" to users not owning them."),
NULL, 0, &security_curtain, 0,
CTL_SECURITY, SECURITY_CURTAIN, CTL_EOL);
+
+ sysctl_createv(clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT,
+ CTLTYPE_NODE, "setid_core",
+ SYSCTL_DESCR("Set-id processes' coredump settings."),
+ NULL, 0, NULL, 0,
+ CTL_SECURITY, SECURITY_SETIDCORE, CTL_EOL);
+
+ sysctl_createv(clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "dump",
+ SYSCTL_DESCR("Allow set-id processes to dump core."),
+ NULL, 0, &security_setidcore_dump, 0,
+ CTL_SECURITY, SECURITY_SETIDCORE, CTL_CREATE, CTL_EOL);
+ sysctl_createv(clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_STRING, "path",
+ SYSCTL_DESCR("Path pattern for set-id coredumps."),
+ NULL, 0, &security_setidcore_path, MAXPATHLEN,
+ CTL_SECURITY, SECURITY_SETIDCORE, CTL_CREATE, CTL_EOL);
+ sysctl_createv(clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "owner",
+ SYSCTL_DESCR("Owner id for set-id processes' cores."),
+ NULL, 0, &security_setidcore_owner, 0,
+ CTL_SECURITY, SECURITY_SETIDCORE, CTL_CREATE, CTL_EOL);
+ sysctl_createv(clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "group",
+ SYSCTL_DESCR("Group id for set-id processes' cores."),
+ NULL, 0, &security_setidcore_group, 0,
+ CTL_SECURITY, SECURITY_SETIDCORE, CTL_CREATE, CTL_EOL);
+ sysctl_createv(clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "mode",
+ SYSCTL_DESCR("Mode for set-id processes' cores."),
+ NULL, 0, &security_setidcore_mode, 0,
+ CTL_SECURITY, SECURITY_SETIDCORE, CTL_CREATE, CTL_EOL);
}
/*
Index: kern/kern_sig.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_sig.c,v
retrieving revision 1.213
diff -u -p -r1.213 kern_sig.c
--- kern/kern_sig.c 24 Dec 2005 19:12:23 -0000 1.213
+++ kern/kern_sig.c 21 Jan 2006 19:44:03 -0000
@@ -70,6 +70,7 @@ __KERNEL_RCSID(0, "$NetBSD: kern_sig.c,v
#include <sys/sa.h>
#include <sys/savar.h>
#include <sys/exec.h>
+#include <sys/sysctl.h>
#include <sys/mount.h>
#include <sys/syscallargs.h>
@@ -2101,9 +2102,10 @@ coredump(struct lwp *l, const char *patt
cred = p->p_cred->pc_ucred;
/*
- * Make sure the process has not set-id, to prevent data leaks.
+ * Make sure the process has not set-id, to prevent data leaks,
+ * unless it was specifically requested to allow set-id coredumps.
*/
- if (p->p_flag & P_SUGID)
+ if ((p->p_flag & P_SUGID) && !security_setidcore_dump)
return (EPERM);
/*
@@ -2126,6 +2128,9 @@ restart:
(vp->v_mount->mnt_flag & MNT_NOCOREDUMP) != 0)
return (EPERM);
+ if (p->p_flag & P_SUGID && security_setidcore_dump)
+ pattern = security_setidcore_path;
+
if (pattern == NULL)
pattern = p->p_limit->pl_corename;
if ((error = build_corename(p, name, pattern, sizeof(name))) != 0)
@@ -2155,6 +2160,13 @@ restart:
}
VATTR_NULL(&vattr);
vattr.va_size = 0;
+
+ if (p->p_flag & P_SUGID && security_setidcore_dump) {
+ vattr.va_uid = security_setidcore_owner;
+ vattr.va_gid = security_setidcore_group;
+ vattr.va_mode = security_setidcore_mode;
+ }
+
VOP_LEASE(vp, l, cred, LEASE_WRITE);
VOP_SETATTR(vp, &vattr, cred, l);
p->p_acflag |= ACORE;
Index: sys/sysctl.h
===================================================================
RCS file: /cvsroot/src/sys/sys/sysctl.h,v
retrieving revision 1.145
diff -u -p -r1.145 sysctl.h
--- sys/sysctl.h 28 Dec 2005 19:09:30 -0000 1.145
+++ sys/sysctl.h 21 Jan 2006 19:44:13 -0000
@@ -902,7 +902,8 @@ struct kinfo_file {
* CTL_SECURITY definitions.
*/
#define SECURITY_CURTAIN 1
-#define SECURITY_MAXID 2
+#define SECURITY_SETIDCORE 2
+#define SECURITY_MAXID 3
#define CTL_SECURITY_NAMES { \
{ 0, 0 }, \
@@ -911,6 +912,11 @@ struct kinfo_file {
/* XXX this should not be here */
extern int security_curtain;
+extern int security_setidcore_dump;
+extern char security_setidcore_path[];
+extern uid_t security_setidcore_owner;
+extern gid_t security_setidcore_group;
+extern mode_t security_setidcore_mode;
#ifdef _KERNEL
--------------010205040606050002070706--