Subject: Re: coredump following symlinks
To: Bill Sommerfeld <firstname.lastname@example.org>
From: Manuel Bouyer <email@example.com>
Date: 08/27/1999 17:56:21
On Fri, Aug 27, 1999 at 11:03:43AM -0400, Bill Sommerfeld wrote:
> > Is this possible ?
> If not now, it's likely to be in the future.
> > Do you have an idea on how to solve this ? I'm not really familiar with
> > VFS ...
> It's not specific to VFS; it's a classic security gotcha with any kind
> of kernel where you check one thing and then operate on another..
Actually it's more like we operate on the same thing, but we relase the lock
between the 2 operations. I don't know how to fix this without rewiting
parts of vn_open() in kern_sig() (or add a function like vn_open()
but which takes a struct nameidata on which namei() has already been run.
> Just don't allow coredumps through symlinks, since it's of dubious
> value now that corefiles are named "progname.core" anyway.
This one is more easy, it can be done in vn_open(). I've just stolen what
OpenBSD did :)
> Over on tech-security I just proposed a "coredump filename format"
> process attribute which would give the folks creating ~/core symlinks
> what they really want, which is a way to control where the coredumps
Who will implement it ? :)
Manuel Bouyer, LIP6, Universite Paris VI. Manuel.Bouyer@lip6.fr