Date: Thu, 17 Oct 1996 22:33:46 -0700 From: "Justin T. Gibbs" <gibbs@freefall.freebsd.org> To: Karl Denninger <karl@Mcs.Net> Cc: jdp@polstra.com (John Polstra), ache@nagual.ru, guido@gvr.win.tue.nl, thorpej@nas.nasa.gov, phk@critter.tfs.com, freebsd-hackers@freebsd.org, tech-userlevel@NetBSD.ORG Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c Message-ID: <199610180533.WAA26215@freefall.freebsd.org> In-Reply-To: Your message of "Fri, 18 Oct 1996 00:21:38 CDT." <199610180521.AAA08257@Jupiter.Mcs.Net>
next in thread | previous in thread | raw e-mail | index | archive | help
>Forcing ANYTHING that touches authentication to refuse to dump core is not >the answer. Yet that is the only answer that you leave available. > >Worse, that doesn't even BEGIN to address the problmes that come about if >you can ptrace() the process -- which, for something like this, is a REAL >problem. > >You MUST be able to *know* that all privileged data has been nuked BEFORE >you relinquish privileged operation. This isn't an option folks -- its a >REQUIREMENT for security reasons. > >Figure it out. ftpd is not the only affected program here; just the most >commonly known and exploited. Did you miss a portion of this thread? I think that Jason already addressed all of these issues. The program can core dump, the core dump will simply only be readable by root. There are already protections enforced to disallow non-priveledged users from ptracing programs that are setuid/setgid. >-- >Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity >http://www.mcs.net/~karl | T1 from $600 monthly; speeds to DS-3 available > | 23 Chicagoland Prefixes, 13 ISDN, much more >Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net >/ >Fax: [+1 312 248-9865] | Home of Chicago's only FULL Clarinet feed! -- Justin T. Gibbs =========================================== FreeBSD: Turning PCs into workstations ===========================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610180533.WAA26215>