From owner-freebsd-hackers  Mon Oct 21 05:07:56 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id FAA09290
          for hackers-outgoing; Mon, 21 Oct 1996 05:07:56 -0700 (PDT)
Received: from black.oaktree.co.uk (black.oaktree.co.uk [194.217.216.129])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id FAA09276
          for <freebsd-hackers@freefall.FreeBSD.org>; Mon, 21 Oct 1996 05:07:51 -0700 (PDT)
Received: (from jon@localhost) 
          by black.oaktree.co.uk (8.7.5/8.7.3) id NAA22911;
          Mon, 21 Oct 1996 13:06:11 +0100 (BST)
From: Jon Ribbens <jon@oaktree.co.uk>
Message-Id: <199610211206.NAA22911@black.oaktree.co.uk>
Subject: Re: setuid, core dumps, ftpd, and DB
To: mycroft@mit.edu (Charles M. Hannum)
Date: Mon, 21 Oct 1996 13:06:11 +0100 (BST)
Cc: tech-userlevel@NetBSD.ORG, freebsd-hackers@freefall.FreeBSD.org
In-Reply-To: <el2zq1i5n8o.fsf@zygorthian-space-raiders.MIT.EDU> from "Charles M. Hannum" at Oct 19, 96 11:27:17 pm
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Charles M. Hannum wrote:
> * In the particular case of ftpd, if you've logged in as a user other
> than root, then your saved, real, and effective uids do not match, so
> the previous check we used to use (ruid != svuid || ruid != euid)
> would catch this.  So, unless you're logged in as root, you'd be hard
> pressed to get ftpd to core dump.

(except on 1.1, when it's easy)

> * Do you prevent core dumps if you've ever had any tainted data, or do
> you attempt to decide when you no longer have any?
> 
> * If the latter, how?  Always zero buffers (including partial zeroing
> of stdio buffers as you read from them!), create new interfaces to the
> libraries to inform them which data is secure, etc?  Garbage
> collection?  B-)

In the case of ftpd, at least, I think that it should be split
into two programs. The front-end program would accept the
connection, ask for the user-name and password, setuid and
chroot as necessary and then exec another program which would
handle the data transfers. This probably isn't a trivial
change though ;-). It's something to bear in mind when writing
future programs though. (cf 'login')

Cheers


Jon
____
\  //    Jon Ribbens    //
 \// jon@oaktree.co.uk //