tech-kern: Re: The reason for securelevel (was: sysctl knob to let sugid processes dump core (pr 15994))

Subject: Re: The reason for securelevel (was: sysctl knob to let sugid processes dump core (pr 15994))
To: Travis H. <solinym@gmail.com>
From: Garrett D'Amore <garrett_damore@tadpole.com>
List: tech-kern
Date: 01/29/2006 08:51:47

--nextPart31638122.KaMTxGRhQ9
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Sunday 29 January 2006 12:18 am, Travis H. wrote:
> On 1/26/06, Steven M. Bellovin <smb@cs.columbia.edu> wrote:
> > In principle, this is a fine idea.  In practice, figuring out the right
> > set of bits is non-trivial.  It's not a direct analogy, but SGI has 48
> > different privileges that a process can have.
>
> I like the idea of having fine-grained controls.  That way, an expert
> can configure his or her system with exactly the abilities necessary,
> or they could code some userland "wizard" to ask you user-friendly
> questions and set/check it for you.
>
> Look at permissions on the file system, and mtree, for example.
>
> Honestly, I know core dumps are important for debugging, but from a
> sysadmin point of view they are quite frequently merely annoying
> garbage that accumulates in directories that shouldn't really be:
> a) writeable
> b) increasing in size
> c) increasing inode count
> anyway.  I've deleted in excess of 100 core files for every one that
> gets analyzed.

Add to this that dumping core over NFS is really hard on the network.
=46or this reason I have done this:

cd ~
mkdir core

The core files have all stopped.

> --
> "The generation of random numbers is too important to be left to chance."
>   -- Robert Coveyou -><- http://www.lightconsulting.com/~travis/
> GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

=2D-=20
Garrett D'Amore, Principal Software Engineer
Tadpole Computer / Computing Technologies Division,
General Dynamics C4 Systems
http://www.tadpolecomputer.com/
Phone: 951 325-2134  Fax: 951 325-2191

--nextPart31638122.KaMTxGRhQ9
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (SunOS)

iQEVAwUAQ9zypv49Sp1nAoU7AQJfxgf/f8Zh3ltZ5jm7jnJBoQhYbef8e0KD90mn
wM36flRkM/fntsDScA6gFhPTu41ymiKWJXbX671CS5gDHNiwO0NZE6NjA+acxJG/
Ta+ptfJJHZrleOYw6qyn7MrslycM07x21A2+EOuNI5rOJq3tLzUnvzwNIIVPSO02
xw9nddpL1UvhnmBixw/8W7oQb77hrsZsjvQmpMRLaYtdnvwfjiAcxipy7x5aHDxy
fwz0v86UVaxH8SfEHUekQr2KVqdf89hsQ5MUtbgcyIt5dRnYcryouc18ipMIUYYB
IeWCNS25FppcOvAE8TOSPW0xcC4vqLxUFeWt6Om7g2+c4eFZLeQZ3w==
=xVyV
-----END PGP SIGNATURE-----

--nextPart31638122.KaMTxGRhQ9--