Subject: Re: sysctl knob to let sugid processes dump core (pr 15994)
To: Chapman Flack <nblists@anastigmatix.net>
From: Curt Sampson <cjs@cynic.net>
List: tech-security
Date: 01/25/2006 14:05:08
On Tue, 24 Jan 2006, Chapman Flack wrote:

> But if you have a sugid binary on a production machine that you want
> to debug, I don't think the securelevel restriction should be too
> great an inconvenience - just arrange to tweak the sysctl knobs at
> your next restart, or go single-user for 40 seconds to tweak them, and
> return.

Depends on the sort of server, but if this covers the majority of
situations, it makes sense. However, I kind of instinctively think that
the sorts of servers where you'd want to be able to enable these core
dumps might well be ones running enough services that people would start
getting quite upset if you brought them all down in order to debug just
one. (E.g., bringing down Oracle--with potentially a much longer restart
than 40 seconds--just so you can figure out why ntp is dying on this
particular machine but none of your others.)

> If you are trying to debug a sugid binary, you're probably in a
> position to compile and replace it....

I'm not sure about that. It could well be a commerical app where the
vendor is asking for a core dump, but you don't have source.

cjs
-- 
Curt Sampson            <cjs@cynic.net>             +81 90 7737 2974
   The power of accurate observation is commonly called cynicism
   by those who have not got it.    --George Bernard Shaw