From owner-freebsd-hackers@freebsd.org  Mon Oct  8 22:48:49 2018
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0097D10CE5DE
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Mon,  8 Oct 2018 22:48:49 +0000 (UTC)
 (envelope-from rpokala@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org
 [IPv6:2610:1c1:1:606c::24b:4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id AD7748357C;
 Mon,  8 Oct 2018 22:48:48 +0000 (UTC)
 (envelope-from rpokala@freebsd.org)
Received: from [172.17.133.69] (unknown [12.202.168.51])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 (Authenticated sender: rpokala)
 by smtp.freebsd.org (Postfix) with ESMTPSA id 58CED1CE42;
 Mon,  8 Oct 2018 22:48:48 +0000 (UTC)
 (envelope-from rpokala@freebsd.org)
User-Agent: Microsoft-MacOutlook/10.11.0.180909
Date: Mon, 08 Oct 2018 15:48:39 -0700
Subject: Re: coredumps disallowed when creds are changed?
From: Ravi Pokala <rpokala@freebsd.org>
To: Eugene Grosbein <eugen@grosbein.net>,
 "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
Message-ID: <505EC621-4F7D-4857-A81A-38AF71909000@panasas.com>
Thread-Topic: coredumps disallowed when creds are changed?
References: <D0A57A0A-5416-44ED-B5C8-2FC5B45B6BCB@freebsd.org>
 <2e5b1b34-7bd7-f1b8-4f6a-9c794402d2c4@grosbein.net>
In-Reply-To: <2e5b1b34-7bd7-f1b8-4f6a-9c794402d2c4@grosbein.net>
Mime-version: 1.0
Content-type: text/plain;
	charset="UTF-8"
Content-transfer-encoding: 7bit
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Oct 2018 22:48:49 -0000

-----Original Message-----
From: Eugene Grosbein <eugen@grosbein.net>
Date: 2018-10-08, Monday at 15:33
To: Ravi Pokala <rpokala@freebsd.org>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
Subject: Re: coredumps disallowed when creds are changed?

> 09.10.2018 4:31, Ravi Pokala wrote:
> 
>> Greetings hackers.
>> 
>> core(5) states:
>> 
>>> By default, a process that changes user or group credentials
>>> whether real or effective will not create a corefile.
>>> This behaviour can be changed to generate a core dump by setting the sysctl(8) variable kern.sugid_coredump to 1.
>> 
>> Can someone explain why?
> 
> Real/effective user/group id often are changed for a process started
> by non-privilegied user running set[ug]id binary like csh/chpass/passwd(1)
> that can read sensitive system data similar to /etc/master.passwd
> containing password hashes. If such utility reads sensitive data
> and then crashes due to a bug, its coredump may leak data to unexpected places
> of file system like /home partition, then go to a dump/backup of file system,
> get uploaded offsite as part of backup etc. That should not happen by default.

That makes perfect sense. Thanks Eugene!

-Ravi (rpokala@)