Subject: Re: sysctl knob to let sugid processes dump core (pr 15994)
To: None <tech-kern@netbsd.org>
From: None <joerg@britannica.bec.de>
List: tech-kern
Date: 01/13/2006 15:54:42
On Fri, Jan 13, 2006 at 04:41:04PM +0200, Elad Efrat wrote:
> joerg@britannica.bec.de wrote:
>
> > Who will be the owner of the setugid core dump?
>
> Effective uid.
The question arises because there are at least three uids which can be
involved:
- the real uid
- the effective uid
- the saved uid
This can all be different depending on the time of the coredump, the
effective uid will typically be either the real uid or the saved uid.
Having inconsistent uids for coredumps sounds like a very bad thing and
generating the coredumps with the saved uid would be exactly the
possible information leak mentioned in the PR.
My proposal would be to modify the sysctls to provide a default uid for
setugid programs and maybe even a default path. With that it would be
possible for root to limit the access to the coredump files even for
normal programs running as root (think about a queue directory), but
also use e.g. quotas to prevent local DOS. Therefore the setugid
coredumping would be *relatively* save, even in a productive
environment.
Joerg