On Fri, Jan 13, 2006 at 11:16:43AM -0800, Garrett D'Amore wrote:
> Here's the scenario I see, and it should be thought out:

Yes, this is very similiar to what I had in mind.

> Imagine this attack: malicious user drops in a symlink from /var/core to
> /.  Site doesn't use this for many months, but then either turns this
> feature on, or perhaps the first core dump occurs many months later. 
> The process of dumping core now clobbers the root filesystem, and I have
> a major outage.

Coredumps don't follow symlinks, we would have enough problems already
otherwise. Second, I did ask for a default directory for those coredumps
exactly to prevent such problems. Setuid-root programs (just like
root programs) could coredump everywhere, it makes sense to redirect
that output. The uid of the output just makes it easier to limit disk
usage, esp. when /var/core [to use your example] is not a separate
filesystem.

Joerg