Subject: Re: SUGID bit in coredump()
To: None <firstname.lastname@example.org, tech-kern@NetBSD.ORG>
From: Chris Torek <torek@BSDI.COM>
Date: 10/18/1996 19:30:47
``Use the Source, Luke!'' :-)
>If we turn on the SUGID bit as soon as a root process does a
I was the one who added the SUGID bit (back when it was SSUGID
rather than P_SUGID), when Craig Leres and I were putting Van
Jacobson's ptrace attach in. We needed something that would get
set and stay set any time a process had or changed any privileges,
until it exec'ed some other program. The exec wipes memory, and
by that time it should have closed any `sensitive' file descriptors.
I was actually not worried as much about memory contents as about
attaching to a previously-root process that had some important file
open read/write -- you could use ptrace to zap new code into it,
then write arbitrary new contents. This included processes that
started life as root and then became someone else, so P_SUGID is
set for *all* privilege-changing operations, even setgroups().
I did not think to apply it to core dumps at that time, but it
is the correct bit to use. We (BSDI) have switched over to
testing P_SUGID recently as well.