tech-security: sysctl knob to let sugid processes dump core (pr 15994)

Subject: sysctl knob to let sugid processes dump core (pr 15994)
To: None <tech-kern@netbsd.org, tech-security@NetBSD.org>
From: Elad Efrat <elad@NetBSD.org>
List: tech-security
Date: 01/13/2006 15:31:02
This is a multi-part message in MIME format.
--------------010806000106060305030102
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Hi,

PR 15994 suggests a sysctl knob to allow set-id processes dump
core. This is a security risk, but may be useful (as the PR
notes) on machines used for debugging.

Attached is a patch very similar to the one in the PR only that
it uses sysctl(9). It adds a security.sugid_coredump knob, default
off, and notes the security risk in the sysctl(3) man-page.

If this is not a welcome change, please state so and I'll close
the PR. However, if it is, I know some people suggested having
the knob work with specific care of the system securelevel, such
as not allowing this knob to be used on securelevel > 1.

Please voice your opinion on what the wanted behavior is, if at
all, and I'll take care of the code/PR.

-e.

-- 
Elad Efrat

--------------010806000106060305030102
Content-Type: text/plain;
 name="sugid_coredump.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="sugid_coredump.diff"

Index: lib/libc/gen/sysctl.3
===================================================================
RCS file: /cvsroot/src/lib/libc/gen/sysctl.3,v
retrieving revision 1.159
diff -u -p -r1.159 sysctl.3
--- lib/libc/gen/sysctl.3	1 Dec 2005 18:08:10 -0000	1.159
+++ lib/libc/gen/sysctl.3	13 Jan 2006 13:21:31 -0000
@@ -29,7 +29,7 @@
 .\"
 .\"	@(#)sysctl.3	8.4 (Berkeley) 5/9/95
 .\"
-.Dd December 1, 2005
+.Dd January 13, 2006
 .Dt SYSCTL 3
 .Os
 .Sh NAME
@@ -1878,9 +1878,10 @@ for more details.
 .Sh CTL_SECURITY
 The security level contains various security-related settings for
 the system. Available settings are detailed below.
-.Bl -column "SECURITY_CURTAIN" "integerXXX" -offset indent
+.Bl -column "SECURITYXSUGIDCOREDUMP" "integerXXX" -offset indent
 .It Sy Second level name	Type	Changeable
 .It SECURITY_CURTAIN	integer	yes
+.It SECURITY_SUGIDCOREDUMP	integer	yes
 .El
 .Pp
 .Bl -tag -width "123456"
@@ -1899,6 +1900,10 @@ and
 .Dv PF_UNIX
 PCBs), and
 .Xr w 1 .
+.It Li SECURITY_SUGIDCOREDUMP
+If non-zero, set-user-id and set-group-id processes will dump core
+on segfault. Because this is a security risk, the default behavior
+is to not dump core when such a process segfaults.
 .El
 .Sh CTL_VENDOR
 The "vendor" toplevel name is reserved to be used by vendors who wish to
Index: sbin/sysctl/sysctl.8
===================================================================
RCS file: /cvsroot/src/sbin/sysctl/sysctl.8,v
retrieving revision 1.134
diff -u -p -r1.134 sysctl.8
--- sbin/sysctl/sysctl.8	21 Dec 2005 12:21:06 -0000	1.134
+++ sbin/sysctl/sysctl.8	13 Jan 2006 13:21:32 -0000
@@ -61,7 +61,7 @@
 .\"
 .\"	@(#)sysctl.8	8.1 (Berkeley) 6/6/93
 .\"
-.Dd December 21, 2005
+.Dd January 13, 2006
 .Dt SYSCTL 8
 .Os
 .Sh NAME
@@ -512,6 +512,7 @@ privilege can change the value.
 .It proc.\*[Lt]pid\*[Gt].stopexec	int	yes
 .It proc.\*[Lt]pid\*[Gt].stopfork	int	yes
 .It security.curtain	integer	yes
+.It security.sugid_coredump	integer	yes
 .It user.bc_base_max	integer	no
 .It user.bc_dim_max	integer	no
 .It user.bc_scale_max	integer	no
Index: sys/kern/init_sysctl.c
===================================================================
RCS file: /cvsroot/src/sys/kern/init_sysctl.c,v
retrieving revision 1.59
diff -u -p -r1.59 init_sysctl.c
--- sys/kern/init_sysctl.c	26 Dec 2005 18:45:27 -0000	1.59
+++ sys/kern/init_sysctl.c	13 Jan 2006 13:21:36 -0000
@@ -92,6 +92,7 @@ __KERNEL_RCSID(0, "$NetBSD: init_sysctl.
 
 /* XXX this should not be here */
 int security_curtain = 0;
+int security_sugid_coredump = 0;
 
 /*
  * try over estimating by 5 procs/lwps
@@ -1028,6 +1029,13 @@ SYSCTL_SETUP(sysctl_security_setup, "sys
 				    " to users not owning them."),
 		       NULL, 0, &security_curtain, 0,
 		       CTL_SECURITY, SECURITY_CURTAIN, CTL_EOL);
+	sysctl_createv(clog, 0, NULL, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_INT, "sugid_coredump",
+		       SYSCTL_DESCR("Set-user-id and set-group-id programs"
+				    " will dump core on segfault."),
+		       NULL, 0, &security_sugid_coredump, 0,
+		       CTL_SECURITY, SECURITY_SUGIDCOREDUMP, CTL_EOL);
 }
 
 /*
Index: sys/kern/kern_sig.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_sig.c,v
retrieving revision 1.213
diff -u -p -r1.213 kern_sig.c
--- sys/kern/kern_sig.c	24 Dec 2005 19:12:23 -0000	1.213
+++ sys/kern/kern_sig.c	13 Jan 2006 13:21:40 -0000
@@ -70,6 +70,7 @@ __KERNEL_RCSID(0, "$NetBSD: kern_sig.c,v
 #include <sys/sa.h>
 #include <sys/savar.h>
 #include <sys/exec.h>
+#include <sys/sysctl.h>
 
 #include <sys/mount.h>
 #include <sys/syscallargs.h>
@@ -2103,7 +2104,7 @@ coredump(struct lwp *l, const char *patt
 	/*
 	 * Make sure the process has not set-id, to prevent data leaks.
 	 */
-	if (p->p_flag & P_SUGID)
+	if (!security_sugid_coredump && p->p_flag & P_SUGID)
 		return (EPERM);
 
 	/*
Index: sys/sys/sysctl.h
===================================================================
RCS file: /cvsroot/src/sys/sys/sysctl.h,v
retrieving revision 1.145
diff -u -p -r1.145 sysctl.h
--- sys/sys/sysctl.h	28 Dec 2005 19:09:30 -0000	1.145
+++ sys/sys/sysctl.h	13 Jan 2006 13:21:45 -0000
@@ -902,15 +902,18 @@ struct kinfo_file {
  * CTL_SECURITY definitions.
  */
 #define	SECURITY_CURTAIN	1
-#define	SECURITY_MAXID		2
+#define	SECURITY_SUGIDCOREDUMP	2
+#define	SECURITY_MAXID		3
 
 #define	CTL_SECURITY_NAMES { \
 	{ 0, 0 }, \
 	{ "curtain", CTLTYPE_INT }, \
+	{ "sugid_coredump", CTLTYPE_INT }, \
 }
 
 /* XXX this should not be here */
 extern int security_curtain;
+extern int security_sugid_coredump;
 
 #ifdef _KERNEL
 

--------------010806000106060305030102--