From owner-freebsd-current  Tue Jul  9 12:02:01 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id MAA28377
          for current-outgoing; Tue, 9 Jul 1996 12:02:01 -0700 (PDT)
Received: from sequent.kiae.su (sequent.kiae.su [193.125.152.6])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA28358;
          Tue, 9 Jul 1996 12:01:56 -0700 (PDT)
Received: by sequent.kiae.su id AA04585
  (5.65.kiae-2 ); Tue, 9 Jul 1996 22:55:51 +0400
Received: by sequent.KIAE.su (UUMAIL/2.0); Tue,  9 Jul 96 22:55:51 +0400
Received: (from ache@localhost) by nagual.ru (8.7.5/8.7.3) id WAA00325; Tue, 9 Jul 1996 22:52:40 +0400 (MSD)
Message-Id: <199607091852.WAA00325@nagual.ru>
Subject: It is impossible even for root to make core from [sg]uid process!
To: current@freebsd.org (FreeBSD-current)
Date: Tue, 9 Jul 1996 22:52:40 +0400 (MSD)
Cc: security@freebsd.org
From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (Andrey A. Chernov) <ache@nagual.ru>
Organization: self
X-Class: Fast
X-Mailer: ELM [version 2.4ME+ PL22 (25)]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-current@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

As subject says, it is impossible even for root to debug
[sg]uid program (especially daemon) without core from it.

Following block from kern_sig.c stops core dump:

	/*
	 * If we are setuid/setgid, or if we've changed uid's in the past,
	 * we may be holding privileged information.  We must not core!
	 */
	if (pcred->p_svuid != pcred->p_ruid || pcred->p_svgid != pcred->p_rgid)
		return (EFAULT);
	if (p->p_flag & P_SUGID)
		return (EFAULT);

IMHO this code restricts too much: the only case it is needed for is
uid 0 -> user_id transaction. It is NOT needed for user_id -> 0
transaction, because core file can be owned by root in this case
with 0600 permissions.

I want to frame this block:

if (pcred->p_ruid) {    /* non-root case */
	[block]
} else {                /* root case */
	euid = 0; /* to make program.core owned by root, 0600 */
}

This fix allows core from most of daemons, because they
usually started by root (ruid == 0).
Any comments?

-- 
Andrey A. Chernov
<ache@nagual.ru>
http://www.nagual.ru/~ache/