Date: Sun, 20 Oct 1996 09:41:39 +0200 (MET DST) From: J Wunsch <j@uriah.heep.sax.de> To: tech-userlevel@NetBSD.ORG, freebsd-hackers@freefall.freebsd.org Subject: Re: setuid, core dumps, ftpd, and DB Message-ID: <199610200741.JAA27953@uriah.heep.sax.de> In-Reply-To: <22293.845793624@critter.tfs.com> from Poul-Henning Kamp at "Oct 20, 96 08:40:24 am"
next in thread | previous in thread | raw e-mail | index | archive | help
As Poul-Henning Kamp wrote: > It was pointed out by me already 8 years ago: > > "[...] core-dumps as default is an evil thing. There should be > some way to >enable< core-dumps when you want them, rather than > have them as default. This would also solve security issue > where a core-dump may contain sensitive information. [...]" > > What we need is really a new syscall: > > procctl(pid, function, arg) The only problem with this is that programs tend to dump core without asking the developer first. ;-) That's the nature of bugs, the programmer often does not anticipate them. Thus, they are sometimes a good means for a post-mortem analysis. So it should at least be possible to centrally override the `no core dump' flag site-wide e.g. by a sysctl that is only allowed to root (and only if the securelevel is low enough). This would give sites that are doing development but don't care that much for security problems (since they can basically trust their users) a means to avoid bloating all their programs with yet another operating-system non-portable system call. > PROCCTL_CORENAME > (arg is pathname to use for corefile) This might open a can of worms. Think of somebody maliciously setting the filename to "/etc/master.passwd". Think of the daily cleanup jobs that try to purge old coredumps. -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610200741.JAA27953>