Date: Tue, 18 Feb 1997 23:57:08 -0800 From: David Greenman <dg@root.com> To: Reinier Bezuidenhout <rbezuide@oskar.nanoteq.co.za> Cc: jas@flyingfox.COM (Jim Shankland), security@freebsd.org Subject: Re: Coredumps and setuids .. interesting.. Message-ID: <199702190757.XAA11039@root.com> In-Reply-To: Your message of "Sat, 19 Feb 1997 09:14:38 %2B0200." <199702190714.JAA22361@oskar.nanoteq.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
>> David Greenman writes, re coredumping setuid processes: >> >> > Hmmm. Either my replies aren't getting through to bugtraq, or >> > people are just ignoring them. As of FreeBSD 2.1.6 and newer >> > versions, we don't core dump for setuid processes. It's been >> > this way for nearly a year in -current, but the change didn't >> > get merged into the 2.1.x branch until after the 2.1.5 >> > release...that was an oversight. > >This is weird ... I have a 2.1.0 machine that I upgraded to a >2.1.6.1 machine just before 2.1.6 was "freezed". I tried the >rlogin coredump thingy and it did work. I could see ALL the >users AND their passwords :/ I've explained this several times already, but here goes again: There was a bug in the kernel where it didn't pass the P_SUGID flag onto the child of a fork. rlogin is a special case setuid binary in that it forks and doesn't follow that with an exec. The child process was then vulnerable to being killed in a way that would cause a core dump. Everyone prior to you who has looked at the resulting core file (me included) has found that it contained only the encrypted password for the user's own account, and not any others. I'm rather surprised that you are saying that it contains other users' encrypted passwords... In any case, that bug has been fixed in 2.1.7 and later versions of FreeBSD. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702190757.XAA11039>