Subject: Re: sysctl knob to let sugid processes dump core (pr 15994)
To: Greg Troxel <firstname.lastname@example.org>
From: None <email@example.com>
Date: 01/13/2006 18:41:27
On Fri, Jan 13, 2006 at 12:34:45PM -0500, Greg Troxel wrote:
> I like the idea of both default owner and default directory to save the
> coredumps of sugid processes.
> That sounds complicated. How about just make them owned by root and
> 0400, and put them where they would have gone if not suid? Anyone who
> is debugging suid stuff and wants core dumps can become root to deal
> with the core dump. And, there's less to go wrong security-wise than
> managing more defaults.
The reason why I suggested a default directory is to avoid confusion
e.g. in queue directories. Just think about sendmail :-)
The fallout is of course not critical for a pure debugging machine, but
when this feature should be useable on production machines without
unnecessary compromises of security, it has to satisfy the following
(a) no random user can read the coredumps (permission 0600 or less).
(b) no random program is likely to pick this coredumps up -- readable or
(c) it must be possible to limit disk usage.
If all three conditions are satisfied, it is can be activated in a
production environment and the only information leak is writing the
memory to disk, e.g. passwords. That's often a non-issue though.