On Fri, Jan 13, 2006 at 12:34:45PM -0500, Greg Troxel wrote:
>   I like the idea of both default owner and default directory to save the
>   coredumps of sugid processes.
> 
> That sounds complicated.  How about just make them owned by root and
> 0400, and put them where they would have gone if not suid?  Anyone who
> is debugging suid stuff and wants core dumps can become root to deal
> with the core dump.  And, there's less to go wrong security-wise than
> managing more defaults.

The reason why I suggested a default directory is to avoid confusion
e.g. in queue directories. Just think about sendmail :-)

The fallout is of course not critical for a pure debugging machine, but
when this feature should be useable on production machines without
unnecessary compromises of security, it has to satisfy the following
conditions:
(a) no random user can read the coredumps (permission 0600 or less).
(b) no random program is likely to pick this coredumps up -- readable or
not.
(c) it must be possible to limit disk usage.

If all three conditions are satisfied, it is can be activated in a
production environment and the only information leak is writing the
memory to disk, e.g. passwords. That's often a non-issue though.

Joerg