On Fri, 18 Oct 1996 11:56:57 -0500 (CDT) 
 Karl Denninger <karl@Mcs.Net> wrote:

 > If you're arguing for no core dumps of anything which could contain
 > sensitive data, then the bottom line is that you have to decline any of the
 > following:
 > 
 > 1)	ptrace() on any process which was STARTED Suid (not "currently is"
 > 	SUID).  This precludes debugging on a process in this state.

...unless you're root.  It's not a stretch to assume that if you're
debugging a setuid-0 system executable, that you have root privvies
on the system.

 > 2)	Any process which starts with the SUID or SGID bit on must
 > 	internally decline to dump core (regardless of ulimit settings) at
 > 	all times -- both while SUID and *IF SUID IS REVOKED BY THE JOB*.

The program doens't have to do this... the _kernel_ should (and, under
NetBSD, does); see coredump() in kern_sig.c.

Quite honestly, I think it's very much worth the trade-off of "Gee, that
program didn't core when it crashed" or "Gee, I can't read the core
it dropped" in order to keep sensitive information out of the hands of
bozos.

Jason R. Thorpe                                       thorpej@nas.nasa.gov
NASA Ames Research Center                               Home: 408.866.1912
NAS: M/S 258-6                                          Work: 415.604.0935
Moffett Field, CA 94035                                Pager: 415.428.6939