From owner-freebsd-security Tue Feb 18 23:56:33 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id XAA10940 for security-outgoing; Tue, 18 Feb 1997 23:56:33 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA10935 for ; Tue, 18 Feb 1997 23:56:28 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.8.5/8.6.5) with SMTP id XAA11039; Tue, 18 Feb 1997 23:57:08 -0800 (PST) Message-Id: <199702190757.XAA11039@root.com> X-Authentication-Warning: implode.root.com: localhost [127.0.0.1] didn't use HELO protocol To: Reinier Bezuidenhout cc: jas@flyingfox.COM (Jim Shankland), security@freebsd.org Subject: Re: Coredumps and setuids .. interesting.. In-reply-to: Your message of "Sat, 19 Feb 1997 09:14:38 +0200." <199702190714.JAA22361@oskar.nanoteq.co.za> From: David Greenman Reply-To: dg@root.com Date: Tue, 18 Feb 1997 23:57:08 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >> David Greenman writes, re coredumping setuid processes: >> >> > Hmmm. Either my replies aren't getting through to bugtraq, or >> > people are just ignoring them. As of FreeBSD 2.1.6 and newer >> > versions, we don't core dump for setuid processes. It's been >> > this way for nearly a year in -current, but the change didn't >> > get merged into the 2.1.x branch until after the 2.1.5 >> > release...that was an oversight. > >This is weird ... I have a 2.1.0 machine that I upgraded to a >2.1.6.1 machine just before 2.1.6 was "freezed". I tried the >rlogin coredump thingy and it did work. I could see ALL the >users AND their passwords :/ I've explained this several times already, but here goes again: There was a bug in the kernel where it didn't pass the P_SUGID flag onto the child of a fork. rlogin is a special case setuid binary in that it forks and doesn't follow that with an exec. The child process was then vulnerable to being killed in a way that would cause a core dump. Everyone prior to you who has looked at the resulting core file (me included) has found that it contained only the encrypted password for the user's own account, and not any others. I'm rather surprised that you are saying that it contains other users' encrypted passwords... In any case, that bug has been fixed in 2.1.7 and later versions of FreeBSD. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project