From owner-freebsd-hackers Fri Oct 18 11:49:32 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA15787 for hackers-outgoing; Fri, 18 Oct 1996 11:49:32 -0700 (PDT) Received: from ux2.sp.cs.cmu.edu (UX2.SP.CS.CMU.EDU [128.2.198.102]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA15781 for ; Fri, 18 Oct 1996 11:49:28 -0700 (PDT) Received: from localhost by ux2.sp.cs.cmu.edu id aa28251; 18 Oct 96 14:48 EDT To: Karl Denninger cc: dg@root.com, gritton@byu.edu, freebsd-hackers@freebsd.org, tech-userlevel@netbsd.org Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c In-reply-to: Your message of "Fri, 18 Oct 1996 11:56:57 CDT." <199610181656.LAA26366@Jupiter.Mcs.Net> Date: Fri, 18 Oct 1996 14:48:16 -0400 Message-ID: <28242.845664496@ux2.sp.cs.cmu.edu> From: Chris G Demetriou Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > If you're arguing for no core dumps of anything which could contain > sensitive data, then the bottom line is that you have to decline any of the > following: > > 1) ptrace() on any process which was STARTED Suid (not "currently is" > SUID). This precludes debugging on a process in this state. > > 2) Any process which starts with the SUID or SGID bit on must > internally decline to dump core (regardless of ulimit settings) at > all times -- both while SUID and *IF SUID IS REVOKED BY THE JOB*. Not quite... (1) should be "ptrace() by non-root"... and you forgot: (3) access via procfs by non-root to any process which was started suid. cgd