Subject: Re: sysctl knob to let sugid processes dump core (pr 15994)
To: None <tls@rek.tjls.com>
From: Garrett D'Amore <garrett_damore@tadpole.com>
List: tech-kern
Date: 01/25/2006 10:59:27
Thor Lancelot Simon wrote:
> On Tue, Jan 24, 2006 at 11:57:07PM -0800, Garrett D'Amore wrote:
>
>> Folks, lets remember, you can't get *any* core file from a sguid process
>> right now. By adding this feature, we're adding value.
>>
>
> Not from my point of view. From my point of view, we're adding the ability
> for an attacker to harvest sensitive information in a way in which he could
> not harvest it before -- and we're making it possible to turn that on
> without access to the machine's console.
>
> You could always change one line in the kernel and get this, if you wanted
> it. The difference, before, was that on a system running at securelevel 1
> or higher, you would need access to the machine in single user mode to do
> so, which allowed tightly constraining the set of potential attackers. By
> committing this change without a check for securelevel > 0, we cause a
> security regression: anyone with superuser access to the machine -- rather
> than physical access to the machine's console -- can now harvest information
> from setuid binaries.
>
>
I guess I wasn't clear on my point, which was that adding the
securelevel check was a good idea, and didn't reduce security
significantly. (And that the complaints that this impaired the new
functionality should be taken in light of the fact that setid cores
can't be taken at *all* right now.)
--
Garrett D'Amore, Principal Software Engineer
Tadpole Computer / Computing Technologies Division,
General Dynamics C4 Systems
http://www.tadpolecomputer.com/
Phone: 951 325-2134 Fax: 951 325-2191