Subject: Re: sysctl knob to let sugid processes dump core (pr 15994)
To: Greg Troxel <gdt@ir.bbn.com>
From: None <joerg@britannica.bec.de>
List: tech-kern
Date: 01/13/2006 18:41:27
On Fri, Jan 13, 2006 at 12:34:45PM -0500, Greg Troxel wrote:
> I like the idea of both default owner and default directory to save the
> coredumps of sugid processes.
>
> That sounds complicated. How about just make them owned by root and
> 0400, and put them where they would have gone if not suid? Anyone who
> is debugging suid stuff and wants core dumps can become root to deal
> with the core dump. And, there's less to go wrong security-wise than
> managing more defaults.
The reason why I suggested a default directory is to avoid confusion
e.g. in queue directories. Just think about sendmail :-)
The fallout is of course not critical for a pure debugging machine, but
when this feature should be useable on production machines without
unnecessary compromises of security, it has to satisfy the following
conditions:
(a) no random user can read the coredumps (permission 0600 or less).
(b) no random program is likely to pick this coredumps up -- readable or
not.
(c) it must be possible to limit disk usage.
If all three conditions are satisfied, it is can be activated in a
production environment and the only information leak is writing the
memory to disk, e.g. passwords. That's often a non-issue though.
Joerg