Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 23 Mar 2015 21:47:11 -0500
From:      Bryan Drewery <bdrewery@FreeBSD.org>
To:        Rui Paulo <rpaulo@me.com>
Cc:        svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Rui Paulo <rpaulo@FreeBSD.org>
Subject:   Re: svn commit: r280410 - head/sys/kern
Message-ID:  <5510D02F.2080007@FreeBSD.org>
In-Reply-To: <29715C14-0AC2-43A2-A718-E89AC3C57AC0@me.com>
References:  <201503240217.t2O2HHgU052651@svn.freebsd.org> <5510CB0E.5010208@FreeBSD.org> <29715C14-0AC2-43A2-A718-E89AC3C57AC0@me.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 3/23/15 9:35 PM, Rui Paulo wrote:
> On Mar 23, 2015, at 19:25, Bryan Drewery <bdrewery@FreeBSD.org> wrote:
>>
>> On 3/23/15 9:17 PM, Rui Paulo wrote:
>>> Author: rpaulo
>>> Date: Tue Mar 24 02:17:17 2015
>>> New Revision: 280410
>>> URL: https://svnweb.freebsd.org/changeset/base/280410
>>>
>>> Log:
>>>    Disable coredump_devctl because it could lead to leaking paths to
>>>    jails.
>>>
>>> Modified:
>>>    head/sys/kern/kern_sig.c
>>>
>>> Modified: head/sys/kern/kern_sig.c
>>> ==============================================================================
>>> --- head/sys/kern/kern_sig.c	Tue Mar 24 01:32:46 2015	(r280409)
>>> +++ head/sys/kern/kern_sig.c	Tue Mar 24 02:17:17 2015	(r280410)
>>> @@ -180,7 +180,7 @@ static int	set_core_nodump_flag = 0;
>>>   SYSCTL_INT(_kern, OID_AUTO, nodump_coredump, CTLFLAG_RW, &set_core_nodump_flag,
>>>   	0, "Enable setting the NODUMP flag on coredump files");
>>>
>>> -static int	coredump_devctl = 1;
>>> +static int	coredump_devctl = 0;
>>>   SYSCTL_INT(_kern, OID_AUTO, coredump_devctl, CTLFLAG_RW, &coredump_devctl,
>>>   	0, "Generate a devctl notification when processes coredump");
>>>
>>>
>>
>> If there is a security concern about this feature I think more needs to be done than just flipping the default. It could easily be forgotten about and make a release.
>
> Sure, but to be honest there are already sysctls that make your system insecure and we've been making releases with them for many years.
>
> --
> Rui Paulo
>

I just think the known issue should be documented at the least.

-- 
Regards,
Bryan Drewery

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5510D02F.2080007>