Subject: Re: The reason for securelevel (was: sysctl knob to let sugid processes dump core (pr 15994))
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Travis H. <solinym@gmail.com>
List: tech-kern
Date: 01/29/2006 02:18:58
On 1/26/06, Steven M. Bellovin <smb@cs.columbia.edu> wrote:
> In principle, this is a fine idea.  In practice, figuring out the right
> set of bits is non-trivial.  It's not a direct analogy, but SGI has 48
> different privileges that a process can have.

I like the idea of having fine-grained controls.  That way, an expert
can configure his or her system with exactly the abilities necessary,
or they could code some userland "wizard" to ask you user-friendly
questions and set/check it for you.

Look at permissions on the file system, and mtree, for example.

Honestly, I know core dumps are important for debugging, but from a
sysadmin point of view they are quite frequently merely annoying
garbage that accumulates in directories that shouldn't really be:
a) writeable
b) increasing in size
c) increasing inode count
anyway.  I've deleted in excess of 100 core files for every one that
gets analyzed.

In case it's not clear, I think core dumps going to a specific
directory is a grand idea.
The cwd is usually somewhat arbitrary, and could be problematic.

I wonder if there are any security holes triggered by creating a file
with a name that isn't controlled by the attacker, but whose contents
may be somewhat controlled.

rcorder anyone?
--
"The generation of random numbers is too important to be left to chance."
  -- Robert Coveyou -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B