Date: Tue, 9 Jul 1996 22:52:40 +0400 (MSD) From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (Andrey A. Chernov) <ache@nagual.ru> To: current@freebsd.org (FreeBSD-current) Cc: security@freebsd.org Subject: It is impossible even for root to make core from [sg]uid process! Message-ID: <199607091852.WAA00325@nagual.ru>
next in thread | raw e-mail | index | archive | help
As subject says, it is impossible even for root to debug
[sg]uid program (especially daemon) without core from it.
Following block from kern_sig.c stops core dump:
/*
* If we are setuid/setgid, or if we've changed uid's in the past,
* we may be holding privileged information. We must not core!
*/
if (pcred->p_svuid != pcred->p_ruid || pcred->p_svgid != pcred->p_rgid)
return (EFAULT);
if (p->p_flag & P_SUGID)
return (EFAULT);
IMHO this code restricts too much: the only case it is needed for is
uid 0 -> user_id transaction. It is NOT needed for user_id -> 0
transaction, because core file can be owned by root in this case
with 0600 permissions.
I want to frame this block:
if (pcred->p_ruid) { /* non-root case */
[block]
} else { /* root case */
euid = 0; /* to make program.core owned by root, 0600 */
}
This fix allows core from most of daemons, because they
usually started by root (ruid == 0).
Any comments?
--
Andrey A. Chernov
<ache@nagual.ru>
http://www.nagual.ru/~ache/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607091852.WAA00325>