Subject: Re: sysctl knob to let sugid processes dump core (pr 15994)
To: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
From: Elad Efrat <elad@NetBSD.org>
List: tech-security
Date: 07/14/2006 23:30:28
This is a multi-part message in MIME format.
--Boundary_(ID_1Dpj6FimdUvIQUUUYIZ4vg)
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 7BIT
YAMAMOTO Takashi wrote:
> it seems there's no objection, at least on these lists.
> so please move them.
diff attached.
-e.
--
Elad Efrat
--Boundary_(ID_1Dpj6FimdUvIQUUUYIZ4vg)
Content-type: text/plain; name=setid_core.diff
Content-transfer-encoding: 7BIT
Content-disposition: inline; filename=setid_core.diff
Index: init_sysctl.c
===================================================================
RCS file: /usr/cvs/src/sys/kern/init_sysctl.c,v
retrieving revision 1.74
diff -u -p -r1.74 init_sysctl.c
--- init_sysctl.c 21 Jun 2006 13:46:17 -0000 1.74
+++ init_sysctl.c 13 Jul 2006 19:58:38 -0000
@@ -277,6 +277,7 @@ SYSCTL_SETUP(sysctl_kern_setup, "sysctl
extern int kern_logsigexit; /* defined in kern/kern_sig.c */
extern fixpt_t ccpu; /* defined in kern/kern_synch.c */
extern int dumponpanic; /* defined in kern/subr_prf.c */
+ const struct sysctlnode *rnode;
sysctl_createv(clog, 0, NULL, NULL,
CTLFLAG_PERMANENT,
@@ -804,6 +805,55 @@ SYSCTL_SETUP(sysctl_kern_setup, "sysctl
SYSCTL_DESCR("Mapping of CPU number to CPU id"),
sysctl_kern_cpid, 0, NULL, 0,
CTL_KERN, KERN_CP_ID, CTL_EOL);
+
+ sysctl_createv(clog, 0, NULL, &rnode,
+ CTLFLAG_PERMANENT,
+ CTLTYPE_NODE, "coredump",
+ SYSCTL_DESCR("Coredump settings."),
+ NULL, 0, NULL, 0,
+ CTL_KERN, CTL_CREATE, CTL_EOL);
+ sysctl_createv(clog, 0, &rnode, &rnode,
+ CTLFLAG_PERMANENT,
+ CTLTYPE_NODE, "setid",
+ SYSCTL_DESCR("Set-id processes' coredump settings."),
+ NULL, 0, NULL, 0,
+ CTL_CREATE, CTL_EOL);
+ sysctl_createv(clog, 0, &rnode, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "dump",
+ SYSCTL_DESCR("Allow set-id processes to dump core."),
+ sysctl_security_setidcore, 0, &security_setidcore_dump,
+ sizeof(security_setidcore_dump),
+ CTL_CREATE, CTL_EOL);
+ sysctl_createv(clog, 0, &rnode, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_STRING, "path",
+ SYSCTL_DESCR("Path pattern for set-id coredumps."),
+ sysctl_security_setidcorename, 0,
+ &security_setidcore_path,
+ sizeof(security_setidcore_path),
+ CTL_CREATE, CTL_EOL);
+ sysctl_createv(clog, 0, &rnode, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "owner",
+ SYSCTL_DESCR("Owner id for set-id processes' cores."),
+ sysctl_security_setidcore, 0, &security_setidcore_owner,
+ 0,
+ CTL_CREATE, CTL_EOL);
+ sysctl_createv(clog, 0, &rnode, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "group",
+ SYSCTL_DESCR("Group id for set-id processes' cores."),
+ sysctl_security_setidcore, 0, &security_setidcore_group,
+ 0,
+ CTL_CREATE, CTL_EOL);
+ sysctl_createv(clog, 0, &rnode, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "mode",
+ SYSCTL_DESCR("Mode for set-id processes' cores."),
+ sysctl_security_setidcore, 0, &security_setidcore_mode,
+ 0,
+ CTL_CREATE, CTL_EOL);
}
SYSCTL_SETUP(sysctl_kern_proc_setup,
@@ -1037,49 +1087,6 @@ SYSCTL_SETUP(sysctl_security_setup, "sys
" to users not owning them."),
NULL, 0, &security_curtain, 0,
CTL_CREATE, CTL_EOL);
-
- sysctl_createv(clog, 0, &rnode, &rnode,
- CTLFLAG_PERMANENT,
- CTLTYPE_NODE, "setid_core",
- SYSCTL_DESCR("Set-id processes' coredump settings."),
- NULL, 0, NULL, 0,
- CTL_CREATE, CTL_EOL);
- sysctl_createv(clog, 0, &rnode, NULL,
- CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
- CTLTYPE_INT, "dump",
- SYSCTL_DESCR("Allow set-id processes to dump core."),
- sysctl_security_setidcore, 0, &security_setidcore_dump,
- sizeof(security_setidcore_dump),
- CTL_CREATE, CTL_EOL);
- sysctl_createv(clog, 0, &rnode, NULL,
- CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
- CTLTYPE_STRING, "path",
- SYSCTL_DESCR("Path pattern for set-id coredumps."),
- sysctl_security_setidcorename, 0,
- &security_setidcore_path,
- sizeof(security_setidcore_path),
- CTL_CREATE, CTL_EOL);
- sysctl_createv(clog, 0, &rnode, NULL,
- CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
- CTLTYPE_INT, "owner",
- SYSCTL_DESCR("Owner id for set-id processes' cores."),
- sysctl_security_setidcore, 0, &security_setidcore_owner,
- 0,
- CTL_CREATE, CTL_EOL);
- sysctl_createv(clog, 0, &rnode, NULL,
- CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
- CTLTYPE_INT, "group",
- SYSCTL_DESCR("Group id for set-id processes' cores."),
- sysctl_security_setidcore, 0, &security_setidcore_group,
- 0,
- CTL_CREATE, CTL_EOL);
- sysctl_createv(clog, 0, &rnode, NULL,
- CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
- CTLTYPE_INT, "mode",
- SYSCTL_DESCR("Mode for set-id processes' cores."),
- sysctl_security_setidcore, 0, &security_setidcore_mode,
- 0,
- CTL_CREATE, CTL_EOL);
}
/*
--Boundary_(ID_1Dpj6FimdUvIQUUUYIZ4vg)--