Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 18 Oct 1996 19:18:49 -0600 (MDT)
From:      Marc Slemko <marcs@znep.com>
To:        Jason Thorpe <thorpej@nas.nasa.gov>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: cvs commit: src/lib/libc/db/hash hash_buf.c 
Message-ID:  <Pine.BSF.3.95.961018185919.3416F-100000@alive.ampr.ab.ca>
In-Reply-To: <199610181737.KAA24797@lestat.nas.nasa.gov>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, 18 Oct 1996, Jason Thorpe wrote:

> On Fri, 18 Oct 1996 11:56:57 -0500 (CDT) 
>  Karl Denninger <karl@Mcs.Net> wrote:
> 
>  > 2)	Any process which starts with the SUID or SGID bit on must
>  > 	internally decline to dump core (regardless of ulimit settings) at
>  > 	all times -- both while SUID and *IF SUID IS REVOKED BY THE JOB*.
> 
> The program doens't have to do this... the _kernel_ should (and, under
> NetBSD, does); see coredump() in kern_sig.c.

The following change was hidden away in a bigger one committed to
FreeBSD-current on 1996/03/02 which seems to do the same as the NetBSD
code.  It appears like the problem can't be exploited in -current via any
method mentioned so far in this thread.

So, if we can't or don't want to find an acceptable way to clear the
memory used for the buffers, I would suggest the below change from
-current should be commited to -stable.  I think all the other bits are in
stable (ie. access via procfs, can't use ptrace on a process that has done
a setuid unless you are root), although there may be a couple of fixes to
the procfs restictions that aren't in -stable. 

If anyone can find any ways to exploit the problem under -stable if this
change is made, please bring them up. 

*** kern_sig.c	1996/01/31 12:44:13	1.18
--- kern_sig.c	1996/03/02 19:38:09	1.19
***************
*** 1204,1210 ****
--- 1200,1212 ----
  	int error, error1;
  	char name[MAXCOMLEN+6];		/* progname.core */
  
+ 	/*
+ 	 * If we are setuid/setgid, or if we've changed uid's in the past,
+ 	 * we may be holding privileged information.  We must not core!
+ 	 */
  	if (pcred->p_svuid != pcred->p_ruid || pcred->p_svgid != pcred->p_rgid)
+ 		return (EFAULT);
+ 	if (p->p_flag & P_SUGID)
  		return (EFAULT);
  	if (ctob(UPAGES + vm->vm_dsize + vm->vm_ssize) >=
  	    p->p_rlimit[RLIMIT_CORE].rlim_cur)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961018185919.3416F-100000>