Subject: Re: sysctl knob to let sugid processes dump core (pr 15994)
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Gavan Fantom <gavan@coolfactor.org>
List: tech-kern
Date: 01/14/2006 00:49:36
Steven M. Bellovin wrote:
> I'm still trying to wrap my brain around all of the security 
> implications of this proposal.  I don't think they've all come out yet.
> For example, we can't just go with the effective uid for the owner of 
> the dump; many setuid programs shed their permissions at some point.
> We need the saved uid.  We also have to worry about setgid programs -- 
> will the real user own the core dump?

[...]

> It would be nice if we could make it easy for non-root to debug 
> setuid programs.

Suppose you have a program set-id (non-root) user A, being run by user 
B. While it's clear that you wouldn't want user B being able to read the 
core dump as it might expose A's private data, I'm not sure it'd be a 
good idea for A to own it either. Granted, A could grab B's private data 
by modifying the program, but even so I'm not sure we'd want to just 
give A a bunch of B's data.

-- 
Gillette - the best a man can forget