Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c
To: Jon Ribbens <jon@oaktree.co.uk>
From: Jason Thorpe <thorpej@nas.nasa.gov>
List: tech-userlevel
Date: 10/18/1996 11:02:07
On Fri, 18 Oct 1996 16:53:57 +0100 (BST) 
 Jon Ribbens <jon@oaktree.co.uk> wrote:

 > The ftpd starts out as root, fetches the passwords, and then the
 > user can make it setuid to themselves by typing their user-name
 > and password. They can then make it core-dump (using 'kill') and
 > read the encrypted passwords. I tried it just now and it worked.
 > Hence this thread is not silly. Anyone with a shell account on
 > a machine can trivially gain access to the shadow password file.

Umm ... I just tried this test, on my NetBSD/sparc workstation...

ftp'd to localhost, logged in as myself.  Send that process a SIGSEGV
with kill(1).  It definitely did not drop a core file.  Just to make
sure, tried again with SIGABRT.  Nup.

And, this is with a kernel that doesn't have the change Matt committed
to kern_sig.c last night :-)

 > I'd appreciate it if whoever it was who patched their kernel to
 > not core-dump programs which *used to be* SUID could post their
 > patch here.

The relevant change that Matthew Green committed yesterday is appended
below.

 > PS. Actually, it didn't work, because I'm using wu-ftpd. When
 >     I switched back to the standard NetBSD 1.1 ftpd for a sec to
 >     check it, it did work. wu-ftpd catches every signal under the
 >     sun and doesn't core-dump on them. This is obviously not
 >     a very nice solution.

Oh .. I'm running a much more recent NetBSD kernel than your are, I guess.
The coredump() function in kern_sig.c wasn't as picky in NetBSD 1.1.
The behavior I'm describing is the way it appears in NetBSD 1.2.

Jason R. Thorpe                                       thorpej@nas.nasa.gov
NASA Ames Research Center                               Home: 408.866.1912
NAS: M/S 258-6                                          Work: 415.604.0935
Moffett Field, CA 94035                                Pager: 415.428.6939

 ----- snip -----

Index: kern_sig.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_sig.c,v
retrieving revision 1.57
retrieving revision 1.58
diff -c -r1.57 -r1.58
*** kern_sig.c	1996/10/13 02:32:34	1.57
--- kern_sig.c	1996/10/18 08:39:34	1.58
***************
*** 1,4 ****
! /*	$NetBSD: kern_sig.c,v 1.57 1996/10/13 02:32:34 christos Exp $	*/
  
  /*
   * Copyright (c) 1982, 1986, 1989, 1991, 1993
--- 1,4 ----
! /*	$NetBSD: kern_sig.c,v 1.58 1996/10/18 08:39:34 mrg Exp $	*/
  
  /*
   * Copyright (c) 1982, 1986, 1989, 1991, 1993
***************
*** 1045,1063 ****
  	register struct proc *p;
  {
  	register struct vnode *vp;
- 	register struct pcred *pcred = p->p_cred;
- 	register struct ucred *cred = pcred->pc_ucred;
  	register struct vmspace *vm = p->p_vmspace;
  	struct nameidata nd;
  	struct vattr vattr;
  	int error, error1;
  	char name[MAXCOMLEN+6];		/* progname.core */
  	struct core core;
  
! 	if (pcred->p_svuid != pcred->p_ruid ||
! 	    cred->cr_uid != pcred->p_ruid ||
! 	    pcred->p_svgid != pcred->p_rgid ||
! 	    cred->cr_gid != pcred->p_rgid)
  		return (EFAULT);
  	if (USPACE + ctob(vm->vm_dsize + vm->vm_ssize) >=
  	    p->p_rlimit[RLIMIT_CORE].rlim_cur)
--- 1045,1059 ----
  	register struct proc *p;
  {
  	register struct vnode *vp;
  	register struct vmspace *vm = p->p_vmspace;
+ 	register struct ucred *cred = p->p_cred->pc_ucred;
  	struct nameidata nd;
  	struct vattr vattr;
  	int error, error1;
  	char name[MAXCOMLEN+6];		/* progname.core */
  	struct core core;
  
! 	if (p->p_flag & P_SUGID)
  		return (EFAULT);
  	if (USPACE + ctob(vm->vm_dsize + vm->vm_ssize) >=
  	    p->p_rlimit[RLIMIT_CORE].rlim_cur)