by redmail.netbsd.org with SMTP; 27 Aug 1999 14:58:16 -0000
	by orchard.arlington.ma.us (8.8.8/1.34) with ESMTP id OAA19930;
	Fri, 27 Aug 1999 14:57:55 GMT
Message-Id: <199908271457.OAA19930@orchard.arlington.ma.us>
To: "Todd C. Miller" <Todd.Miller@courtesan.com>
cc: Manuel Bouyer <bouyer@antioche.lip6.fr>, tech-security@netbsd.org
Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] 
In-Reply-To: Message from "Todd C. Miller" <Todd.Miller@courtesan.com> 
   of "Fri, 27 Aug 1999 08:46:37 MDT." <199908271446.IAA10338@xerxes.cs.colorado.edu> 
Date: Fri, 27 Aug 1999 10:57:54 -0400
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>

I think coredumps through symlinks are dangerous in general and should
just be disabled.

IMHO what the folks creating symlinks to not send their coredumps into
NFS "really" want is a per-process inherited attribute which i'll call
the "core filename format".

Currently it's "%n.core"

reasonable things might be:

	format chars:
		n:	program name
		p:	process id
		u:	user login name (as set by setlogin(2)), ...

Implementing this seems like a reasonable afternoon project and
doesn't seem fraught with risk like the "check owner of symlink" thing
would be..

				- Bill