Subject: Re: coredump following symlinks
To: Manuel Bouyer <>
From: Roger Brooks <>
List: tech-kern
Date: 08/27/1999 14:40:27
On Fri, 27 Aug 1999, Manuel Bouyer wrote:

>On Fri, Aug 27, 1999 at 03:17:38PM +0200, Manuel Bouyer wrote:
>> It's really hard, I fear we will always be able to get a root program
>> dumping core for some time ...
>> For security I'd really like to be able to disable core dumps on symlinks.
>> Would a sysctl be an option ?
>I got another idea: disable core dump if the owner of the existing file
>(symlink or something else) is not the same as the one of the process. Is this
>OK ?

Well the danger is usually from a setuid process dumping core and some
versions of unix don't allow setuid programs to dump core (HP-UX used to
be like this).  So I suppose you could add a sysctl which would switch
this behaviour off or on.

But it's sometimes very useful to be able to move a core dump into another
filesystem with a symbolic link, particularly if you have an obscure bug
in a daemon and there isn't room for the coredump in / (or wherever its
CWD is).  I have another couple of ideas which might help:

1.  Modify the code which generates the coredump so that if the program is
    setuid, the core file is opened with the real uid (and gid).

2.  Have the coredump code lstat the prospective core file.  If it's a
    symbolic link which points to an existing file, read it for a magic
    number and only let the coredump happen if the file already contains
    a coredump.

If you were to do both the above I think you'd have prevented tricks based
on symlinking core to /etc/passwd and then making a setuid-root program drop


Roger Brooks (Systems Programmer),          |  Email:
Computing Services Dept,                    |  Tel:   +44 151 794 4441
The University of Liverpool,                |  Fax:   +44 151 794 4442
PO Box 147, Liverpool L69 3BX, UK           |