tech-security: Re: sysctl knob to let sugid processes dump core (pr 15994)

Subject: Re: sysctl knob to let sugid processes dump core (pr 15994)
To: None <tls@rek.tjls.com>
From: Elad Efrat <elad@NetBSD.org>
List: tech-security
Date: 01/27/2006 05:30:18
This is a multi-part message in MIME format.
--------------020006070602020805060702
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Thor Lancelot Simon wrote:

> Default disable, can only be modified at securelevel < 1.  That gives us
> the same basic situation we have now, with the convenience of not having
> to modify the kernel sources to get cores from setuid programs.

updated patch attached.

-e.

-- 
Elad Efrat

--------------020006070602020805060702
Content-Type: text/plain;
 name="setid_core.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="setid_core.diff"

Index: kern/init_sysctl.c
===================================================================
RCS file: /cvsroot/src/sys/kern/init_sysctl.c,v
retrieving revision 1.60
diff -u -p -r1.60 init_sysctl.c
--- kern/init_sysctl.c	27 Jan 2006 03:14:56 -0000	1.60
+++ kern/init_sysctl.c	27 Jan 2006 03:27:56 -0000
@@ -74,6 +74,7 @@ __KERNEL_RCSID(0, "$NetBSD: init_sysctl.
 #define	VERIEXEC_NEED_NODE
 #include <sys/verified_exec.h>
 #endif /* VERIFIED_EXEC */
+#include <sys/stat.h>
 
 #if defined(SYSVMSG) || defined(SYSVSEM) || defined(SYSVSHM)
 #include <sys/ipc.h>
@@ -92,6 +93,11 @@ __KERNEL_RCSID(0, "$NetBSD: init_sysctl.
 
 /* XXX this should not be here */
 int security_curtain = 0;
+int security_setidcore_dump;
+char security_setidcore_path[MAXPATHLEN] = "/var/crash/%n.core";
+uid_t security_setidcore_owner = 0;
+gid_t security_setidcore_group = 0;
+mode_t security_setidcore_mode = (S_IRUSR|S_IWUSR);
 
 /*
  * try over estimating by 5 procs/lwps
@@ -147,6 +153,7 @@ static int sysctl_kern_file2(SYSCTLFN_PR
 #ifdef VERIFIED_EXEC
 static int sysctl_kern_veriexec(SYSCTLFN_PROTO);
 #endif
+static int sysctl_security_setidcore(SYSCTLFN_PROTO);
 static int sysctl_kern_cpid(SYSCTLFN_PROTO);
 static int sysctl_doeproc(SYSCTLFN_PROTO);
 static int sysctl_kern_proc_args(SYSCTLFN_PROTO);
@@ -1036,6 +1043,44 @@ SYSCTL_SETUP(sysctl_security_setup, "sys
 				    " to users not owning them."),
 		       NULL, 0, &security_curtain, 0,
 		       CTL_CREATE, CTL_EOL);
+
+	sysctl_createv(clog, 0, &rnode, &rnode,
+		       CTLFLAG_PERMANENT,
+		       CTLTYPE_NODE, "setid_core",
+		       SYSCTL_DESCR("Set-id processes' coredump settings."),
+		       NULL, 0, NULL, 0,
+		       CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, &rnode, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_INT, "dump",
+		       SYSCTL_DESCR("Allow set-id processes to dump core."),
+		       sysctl_security_setidcore, 0, &security_setidcore_dump,
+		       sizeof(security_setidcore_dump),
+		       CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, &rnode, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_STRING, "path",
+		       SYSCTL_DESCR("Path pattern for set-id coredumps."),
+		       NULL, 0, &security_setidcore_path, MAXPATHLEN,
+		       CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, &rnode, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_INT, "owner",
+		       SYSCTL_DESCR("Owner id for set-id processes' cores."),
+		       NULL, 0, &security_setidcore_owner, 0,
+		       CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, &rnode, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_INT, "group",
+		       SYSCTL_DESCR("Group id for set-id processes' cores."),
+		       NULL, 0, &security_setidcore_group, 0,
+		       CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, &rnode, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_INT, "mode",
+		       SYSCTL_DESCR("Mode for set-id processes' cores."),
+		       NULL, 0, &security_setidcore_mode, 0,
+		       CTL_CREATE, CTL_EOL);
 }
 
 /*
@@ -2522,6 +2567,27 @@ sysctl_kern_veriexec(SYSCTLFN_ARGS)
 }
 #endif /* VERIFIED_EXEC */
 
+static int
+sysctl_security_setidcore(SYSCTLFN_ARGS)
+{
+	int newsize, error;
+	struct sysctlnode node;
+
+	node = *rnode;
+	node.sysctl_data = &newsize;
+	newsize = *(int *)rnode->sysctl_data;
+	error = sysctl_lookup(SYSCTLFN_CALL(&node));
+	if (error || newp == NULL)
+		return error;
+
+	if (securelevel > 0)
+		return (EPERM);
+
+	*(int *)rnode->sysctl_data = newsize;
+
+	return 0;
+}
+
 /*
  * sysctl helper routine for kern.cp_id node.  maps cpus to their
  * cpuids.
Index: kern/kern_sig.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_sig.c,v
retrieving revision 1.213
diff -u -p -r1.213 kern_sig.c
--- kern/kern_sig.c	24 Dec 2005 19:12:23 -0000	1.213
+++ kern/kern_sig.c	27 Jan 2006 03:27:59 -0000
@@ -70,6 +70,7 @@ __KERNEL_RCSID(0, "$NetBSD: kern_sig.c,v
 #include <sys/sa.h>
 #include <sys/savar.h>
 #include <sys/exec.h>
+#include <sys/sysctl.h>
 
 #include <sys/mount.h>
 #include <sys/syscallargs.h>
@@ -2101,9 +2102,10 @@ coredump(struct lwp *l, const char *patt
 	cred = p->p_cred->pc_ucred;
 
 	/*
-	 * Make sure the process has not set-id, to prevent data leaks.
+	 * Make sure the process has not set-id, to prevent data leaks,
+	 * unless it was specifically requested to allow set-id coredumps.
 	 */
-	if (p->p_flag & P_SUGID)
+	if ((p->p_flag & P_SUGID) && !security_setidcore_dump)
 		return (EPERM);
 
 	/*
@@ -2126,6 +2128,9 @@ restart:
 	    (vp->v_mount->mnt_flag & MNT_NOCOREDUMP) != 0)
 		return (EPERM);
 
+	if (p->p_flag & P_SUGID && security_setidcore_dump)
+		pattern = security_setidcore_path;
+
 	if (pattern == NULL)
 		pattern = p->p_limit->pl_corename;
 	if ((error = build_corename(p, name, pattern, sizeof(name))) != 0)
@@ -2155,6 +2160,13 @@ restart:
 	}
 	VATTR_NULL(&vattr);
 	vattr.va_size = 0;
+
+	if (p->p_flag & P_SUGID && security_setidcore_dump) {
+		vattr.va_uid = security_setidcore_owner;
+		vattr.va_gid = security_setidcore_group;
+		vattr.va_mode = security_setidcore_mode;
+	}
+
 	VOP_LEASE(vp, l, cred, LEASE_WRITE);
 	VOP_SETATTR(vp, &vattr, cred, l);
 	p->p_acflag |= ACORE;
Index: sys/sysctl.h
===================================================================
RCS file: /cvsroot/src/sys/sys/sysctl.h,v
retrieving revision 1.147
diff -u -p -r1.147 sysctl.h
--- sys/sysctl.h	27 Jan 2006 03:14:56 -0000	1.147
+++ sys/sysctl.h	27 Jan 2006 03:28:01 -0000
@@ -909,6 +909,11 @@ extern struct sysctlnode sysctl_root;
 
 /* XXX this should not be here */
 extern int security_curtain;
+extern int security_setidcore_dump;
+extern char security_setidcore_path[];
+extern uid_t security_setidcore_owner;
+extern gid_t security_setidcore_group;
+extern mode_t security_setidcore_mode;
 
 /*
  * A log of nodes created by a setup function or set of setup

--------------020006070602020805060702--