Subject: Re: The reason for securelevel (was: sysctl knob to let sugid processes dump core (pr 15994))
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Travis H. <solinym@gmail.com>
List: tech-security
Date: 01/29/2006 02:18:58
On 1/26/06, Steven M. Bellovin <smb@cs.columbia.edu> wrote:
> In principle, this is a fine idea. In practice, figuring out the right
> set of bits is non-trivial. It's not a direct analogy, but SGI has 48
> different privileges that a process can have.
I like the idea of having fine-grained controls. That way, an expert
can configure his or her system with exactly the abilities necessary,
or they could code some userland "wizard" to ask you user-friendly
questions and set/check it for you.
Look at permissions on the file system, and mtree, for example.
Honestly, I know core dumps are important for debugging, but from a
sysadmin point of view they are quite frequently merely annoying
garbage that accumulates in directories that shouldn't really be:
a) writeable
b) increasing in size
c) increasing inode count
anyway. I've deleted in excess of 100 core files for every one that
gets analyzed.
In case it's not clear, I think core dumps going to a specific
directory is a grand idea.
The cwd is usually somewhat arbitrary, and could be problematic.
I wonder if there are any security holes triggered by creating a file
with a name that isn't controlled by the attacker, but whose contents
may be somewhat controlled.
rcorder anyone?
--
"The generation of random numbers is too important to be left to chance."
-- Robert Coveyou -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B