From owner-freebsd-security Wed Feb 19 04:28:10 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id EAA20187 for security-outgoing; Wed, 19 Feb 1997 04:28:10 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA20182 for ; Wed, 19 Feb 1997 04:28:07 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.8.5/8.6.5) with SMTP id EAA11960; Wed, 19 Feb 1997 04:28:55 -0800 (PST) Message-Id: <199702191228.EAA11960@root.com> X-Authentication-Warning: implode.root.com: localhost [127.0.0.1] didn't use HELO protocol To: Reinier Bezuidenhout cc: jas@flyingfox.COM, security@freebsd.org Subject: Re: Coredumps and setuids .. interesting.. In-reply-to: Your message of "Sat, 19 Feb 1997 10:56:11 +0200." <199702190856.KAA26329@oskar.nanoteq.co.za> From: David Greenman Reply-To: dg@root.com Date: Wed, 19 Feb 1997 04:28:55 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Why I posted this is that I though someone said it was fixed in 2.1.6, >but I was wrong since I noticed (tested) it on 2.1.7 and later and >it does NOT work there. It was sort of fixed in 2.1.6 - coredumps of 'normal' setuid programs are prevented, but rlogin is a special case that still could coredump (the original parent can't, but the child it forks can). This was fixed in 2.1.7. >mail it ... but would rather not :) ... but seeing that 2.1.7 >has been released, there is no point in worrying about this anymore >... right ? Right. If people chose not to upgrade to 2.1.7, then they've got bigger security holes to worry about. :-) -DG David Greenman Core-team/Principal Architect, The FreeBSD Project