Subject: Re: sysctl knob to let sugid processes dump core (pr 15994)
To: None <tech-kern@netbsd.org, tech-security@netbsd.org>
From: Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz>
List: tech-kern
Date: 01/26/2006 00:14:50
On Wed, Jan 25, 2006 at 04:47:18PM -0500, Thor Lancelot Simon wrote:
> On Wed, Jan 25, 2006 at 10:41:57PM +0100, joerg@britannica.bec.de wrote:
> > On Wed, Jan 25, 2006 at 01:28:10PM -0500, Thor Lancelot Simon wrote:
> > > You could always change one line in the kernel and get this, if you wanted
> > > it.  The difference, before, was that on a system running at securelevel 1
> > > or higher, you would need access to the machine in single user mode to do
> > > so, which allowed tightly constraining the set of potential attackers.
> > 
> > How does a securelevel of >= 1 prevent a root process from using ptrace
> > on the very same process you would have a coredump from?
> 
> That is a bug.

Why?

securelevel is documented as a mechanism to "protect the persistent code
and data on the system". That's why it disables changing of file flags,
/dev/mem, and mounted disks. ptrace() or coredumps have nothing to do with
the TCB. BTW, /dev/mem at securelevel = 1 is still readable! You don't
need ptrace() or coredumps.

If you want to restrict random other things, securelevel = 2 or some
other fine-grained mechanism like capabilities should be used.

Pavel