From owner-freebsd-hackers  Fri Oct 18 10:48:53 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id KAA11358
          for hackers-outgoing; Fri, 18 Oct 1996 10:48:53 -0700 (PDT)
Received: from lestat.nas.nasa.gov (lestat.nas.nasa.gov [129.99.50.29])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA11348
          for <freebsd-hackers@freebsd.org>; Fri, 18 Oct 1996 10:48:51 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by lestat.nas.nasa.gov (8.7.5/8.6.12) with SMTP id KAA24797; Fri, 18 Oct 1996 10:37:10 -0700 (PDT)
Message-Id: <199610181737.KAA24797@lestat.nas.nasa.gov>
X-Authentication-Warning: lestat.nas.nasa.gov: Host localhost [127.0.0.1] didn't use HELO protocol
To: Karl Denninger <karl@mcs.net>
Cc: freebsd-hackers@freebsd.org, tech-userlevel@netbsd.org
Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c 
Reply-To: Jason Thorpe <thorpej@nas.nasa.gov>
From: Jason Thorpe <thorpej@nas.nasa.gov>
Date: Fri, 18 Oct 1996 10:37:09 -0700
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Fri, 18 Oct 1996 11:56:57 -0500 (CDT) 
 Karl Denninger <karl@Mcs.Net> wrote:

 > If you're arguing for no core dumps of anything which could contain
 > sensitive data, then the bottom line is that you have to decline any of the
 > following:
 > 
 > 1)	ptrace() on any process which was STARTED Suid (not "currently is"
 > 	SUID).  This precludes debugging on a process in this state.

...unless you're root.  It's not a stretch to assume that if you're
debugging a setuid-0 system executable, that you have root privvies
on the system.

 > 2)	Any process which starts with the SUID or SGID bit on must
 > 	internally decline to dump core (regardless of ulimit settings) at
 > 	all times -- both while SUID and *IF SUID IS REVOKED BY THE JOB*.

The program doens't have to do this... the _kernel_ should (and, under
NetBSD, does); see coredump() in kern_sig.c.

Quite honestly, I think it's very much worth the trade-off of "Gee, that
program didn't core when it crashed" or "Gee, I can't read the core
it dropped" in order to keep sensitive information out of the hands of
bozos.

Jason R. Thorpe                                       thorpej@nas.nasa.gov
NASA Ames Research Center                               Home: 408.866.1912
NAS: M/S 258-6                                          Work: 415.604.0935
Moffett Field, CA 94035                                Pager: 415.428.6939