Subject: Re: sysctl knob to let sugid processes dump core (pr 15994)
To: Steven M. Bellovin <firstname.lastname@example.org>
From: Gavan Fantom <email@example.com>
Date: 01/14/2006 00:49:36
Steven M. Bellovin wrote:
> I'm still trying to wrap my brain around all of the security
> implications of this proposal. I don't think they've all come out yet.
> For example, we can't just go with the effective uid for the owner of
> the dump; many setuid programs shed their permissions at some point.
> We need the saved uid. We also have to worry about setgid programs --
> will the real user own the core dump?
> It would be nice if we could make it easy for non-root to debug
> setuid programs.
Suppose you have a program set-id (non-root) user A, being run by user
B. While it's clear that you wouldn't want user B being able to read the
core dump as it might expose A's private data, I'm not sure it'd be a
good idea for A to own it either. Granted, A could grab B's private data
by modifying the program, but even so I'm not sure we'd want to just
give A a bunch of B's data.
Gillette - the best a man can forget