From owner-freebsd-hackers  Thu Oct 17 15:11:25 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id PAA03582
          for hackers-outgoing; Thu, 17 Oct 1996 15:11:25 -0700 (PDT)
Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.eu.org [193.56.58.253])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA03570
          for <freebsd-hackers@freebsd.org>; Thu, 17 Oct 1996 15:11:17 -0700 (PDT)
Received: from brasil.brainstorm.eu.org (brasil.brainstorm.eu.org [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id XAA29188 for <freebsd-hackers@freebsd.org>; Thu, 17 Oct 1996 23:09:49 +0100
Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id AAA09734 for freebsd-hackers@freebsd.org; Fri, 18 Oct 1996 00:09:24 +0200
Received: (from roberto@localhost) by keltia.freenix.fr (8.8.0/keltia-uucp-2.9) id AAA22502; Fri, 18 Oct 1996 00:08:21 +0200 (MET DST)
Message-Id: <199610172208.AAA22502@keltia.freenix.fr>
Date: Fri, 18 Oct 1996 00:08:20 +0200
From: roberto@keltia.freenix.fr (Ollivier Robert)
To: freebsd-hackers@freebsd.org
Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c
In-Reply-To: <199610171900.MAA06276@lestat.nas.nasa.gov>; from Jason Thorpe on Oct 17, 1996 12:00:53 -0700
References: <199610171900.MAA06276@lestat.nas.nasa.gov>
X-Mailer: Mutt 0.47.13
Mime-Version: 1.0
X-Operating-System: FreeBSD 2.2-CURRENT ctm#2584
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

According to Jason Thorpe:
> Given (c), if the program is run by root, and it drops a core file,
> only root can read it.

A side point: I was able to override a file with a symlink named ftpd.core
on a 2.1.0 system... It means that the kernel silently followed the symlink
and it is BAD.

The "quote pasv" problem (and core) won't happen in 2.2-CURRENT because
P_SUGID bit is set but one could probably make some root-owned program and
overwrite any file.

The code in kern_sig.c doesn't seem to follow symlinks but it did on
2.1.0. Can anyone more knowledgeable with the code confirm please ?

FYI: Solaris up to 2.5.1 seems to follow them, pfff.
-- 
Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.freenix.fr
FreeBSD keltia.freenix.fr 2.2-CURRENT #25: Tue Oct 15 21:13:57 MET DST 1996