Subject: Re: sysctl knob to let sugid processes dump core (pr 15994)
To: Garrett D'Amore <garrett_damore@tadpole.com>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-security
Date: 01/25/2006 13:28:10
On Tue, Jan 24, 2006 at 11:57:07PM -0800, Garrett D'Amore wrote:
> 
> Folks, lets remember, you can't get *any* core file from a sguid process 
> right now.  By adding this feature, we're adding value.

Not from my point of view.  From my point of view, we're adding the ability
for an attacker to harvest sensitive information in a way in which he could
not harvest it before -- and we're making it possible to turn that on
without access to the machine's console.

You could always change one line in the kernel and get this, if you wanted
it.  The difference, before, was that on a system running at securelevel 1
or higher, you would need access to the machine in single user mode to do
so, which allowed tightly constraining the set of potential attackers.  By
committing this change without a check for securelevel > 0, we cause a
security regression: anyone with superuser access to the machine -- rather
than physical access to the machine's console -- can now harvest information
from setuid binaries.

-- 
  Thor Lancelot Simon	                                     tls@rek.tjls.com

  "We cannot usually in social life pursue a single value or a single moral
   aim, untroubled by the need to compromise with others."      - H.L.A. Hart