Subject: Re: sysctl knob to let sugid processes dump core (pr 15994)
To: None <firstname.lastname@example.org, email@example.com>
From: Pavel Cahyna <firstname.lastname@example.org>
Date: 01/26/2006 00:14:50
On Wed, Jan 25, 2006 at 04:47:18PM -0500, Thor Lancelot Simon wrote:
> On Wed, Jan 25, 2006 at 10:41:57PM +0100, email@example.com wrote:
> > On Wed, Jan 25, 2006 at 01:28:10PM -0500, Thor Lancelot Simon wrote:
> > > You could always change one line in the kernel and get this, if you wanted
> > > it. The difference, before, was that on a system running at securelevel 1
> > > or higher, you would need access to the machine in single user mode to do
> > > so, which allowed tightly constraining the set of potential attackers.
> > How does a securelevel of >= 1 prevent a root process from using ptrace
> > on the very same process you would have a coredump from?
> That is a bug.
securelevel is documented as a mechanism to "protect the persistent code
and data on the system". That's why it disables changing of file flags,
/dev/mem, and mounted disks. ptrace() or coredumps have nothing to do with
the TCB. BTW, /dev/mem at securelevel = 1 is still readable! You don't
need ptrace() or coredumps.
If you want to restrict random other things, securelevel = 2 or some
other fine-grained mechanism like capabilities should be used.