Date: Fri, 18 Oct 1996 19:18:49 -0600 (MDT) From: Marc Slemko <marcs@znep.com> To: Jason Thorpe <thorpej@nas.nasa.gov> Cc: freebsd-hackers@freebsd.org Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c Message-ID: <Pine.BSF.3.95.961018185919.3416F-100000@alive.ampr.ab.ca> In-Reply-To: <199610181737.KAA24797@lestat.nas.nasa.gov>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 18 Oct 1996, Jason Thorpe wrote: > On Fri, 18 Oct 1996 11:56:57 -0500 (CDT) > Karl Denninger <karl@Mcs.Net> wrote: > > > 2) Any process which starts with the SUID or SGID bit on must > > internally decline to dump core (regardless of ulimit settings) at > > all times -- both while SUID and *IF SUID IS REVOKED BY THE JOB*. > > The program doens't have to do this... the _kernel_ should (and, under > NetBSD, does); see coredump() in kern_sig.c. The following change was hidden away in a bigger one committed to FreeBSD-current on 1996/03/02 which seems to do the same as the NetBSD code. It appears like the problem can't be exploited in -current via any method mentioned so far in this thread. So, if we can't or don't want to find an acceptable way to clear the memory used for the buffers, I would suggest the below change from -current should be commited to -stable. I think all the other bits are in stable (ie. access via procfs, can't use ptrace on a process that has done a setuid unless you are root), although there may be a couple of fixes to the procfs restictions that aren't in -stable. If anyone can find any ways to exploit the problem under -stable if this change is made, please bring them up. *** kern_sig.c 1996/01/31 12:44:13 1.18 --- kern_sig.c 1996/03/02 19:38:09 1.19 *************** *** 1204,1210 **** --- 1200,1212 ---- int error, error1; char name[MAXCOMLEN+6]; /* progname.core */ + /* + * If we are setuid/setgid, or if we've changed uid's in the past, + * we may be holding privileged information. We must not core! + */ if (pcred->p_svuid != pcred->p_ruid || pcred->p_svgid != pcred->p_rgid) + return (EFAULT); + if (p->p_flag & P_SUGID) return (EFAULT); if (ctob(UPAGES + vm->vm_dsize + vm->vm_ssize) >= p->p_rlimit[RLIMIT_CORE].rlim_cur)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961018185919.3416F-100000>