Date: Fri, 18 Oct 1996 10:37:09 -0700 From: Jason Thorpe <thorpej@nas.nasa.gov> To: Karl Denninger <karl@mcs.net> Cc: freebsd-hackers@freebsd.org, tech-userlevel@netbsd.org Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c Message-ID: <199610181737.KAA24797@lestat.nas.nasa.gov>
next in thread | raw e-mail | index | archive | help
On Fri, 18 Oct 1996 11:56:57 -0500 (CDT) Karl Denninger <karl@Mcs.Net> wrote: > If you're arguing for no core dumps of anything which could contain > sensitive data, then the bottom line is that you have to decline any of the > following: > > 1) ptrace() on any process which was STARTED Suid (not "currently is" > SUID). This precludes debugging on a process in this state. ...unless you're root. It's not a stretch to assume that if you're debugging a setuid-0 system executable, that you have root privvies on the system. > 2) Any process which starts with the SUID or SGID bit on must > internally decline to dump core (regardless of ulimit settings) at > all times -- both while SUID and *IF SUID IS REVOKED BY THE JOB*. The program doens't have to do this... the _kernel_ should (and, under NetBSD, does); see coredump() in kern_sig.c. Quite honestly, I think it's very much worth the trade-off of "Gee, that program didn't core when it crashed" or "Gee, I can't read the core it dropped" in order to keep sensitive information out of the hands of bozos. Jason R. Thorpe thorpej@nas.nasa.gov NASA Ames Research Center Home: 408.866.1912 NAS: M/S 258-6 Work: 415.604.0935 Moffett Field, CA 94035 Pager: 415.428.6939
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610181737.KAA24797>