Subject: Re: setuid, core dumps, ftpd, and DB
To: None <tech-userlevel@NetBSD.ORG, freebsd-hackers@freefall.freebsd.org>
From: J Wunsch <j@uriah.heep.sax.de>
List: tech-userlevel
Date: 10/20/1996 09:41:39
As Poul-Henning Kamp wrote:
> It was pointed out by me already 8 years ago:
>
> "[...] core-dumps as default is an evil thing. There should be
> some way to >enable< core-dumps when you want them, rather than
> have them as default. This would also solve security issue
> where a core-dump may contain sensitive information. [...]"
>
> What we need is really a new syscall:
>
> procctl(pid, function, arg)
The only problem with this is that programs tend to dump core without
asking the developer first. ;-) That's the nature of bugs, the
programmer often does not anticipate them. Thus, they are sometimes a
good means for a post-mortem analysis.
So it should at least be possible to centrally override the `no core
dump' flag site-wide e.g. by a sysctl that is only allowed to root
(and only if the securelevel is low enough). This would give sites
that are doing development but don't care that much for security
problems (since they can basically trust their users) a means to avoid
bloating all their programs with yet another operating-system
non-portable system call.
> PROCCTL_CORENAME
> (arg is pathname to use for corefile)
This might open a can of worms. Think of somebody maliciously setting
the filename to "/etc/master.passwd". Think of the daily cleanup jobs
that try to purge old coredumps.
--
cheers, J"org
joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)