With the current behavior typical server programs that switch euid
don't dump core. This is done "for security".
If the core file pattern exists the dump is written to but readable
for the file owner (not necessarily root - don't argue: only chdir into
dirs that only root can write to: think of file servers like samba)
The patch below addresses this (but still not perfect).
What I would like to see: instead of mm->dumpable=0 when calling seteuid()
something like mm->dumpAs=root and making sure that the core is owned by root
mode 600
I could install a sighandler that calls prctl(PR_SET_DUMPABLE,1,0,0,0),
switch euid to root, but still the formerly placed core is owned by evil
user :(
Then I could read the core pattern and unlink such a file - and all this
just for the Linux platform...
--- fs/exec.c.orig 2004-04-05 09:41:31.134456912 +0200
+++ fs/exec.c 2004-04-05 09:29:55.614192064 +0200
@@ -1398,6 +1398,8 @@
if (!S_ISREG(inode->i_mode))
goto close_fail;
+ if (chown_common(file->f_dentry, current->euid, current->egid))
+ goto close_fail;
if (!file->f_op)
goto close_fail;
if (!file->f_op->write)
--- fs/open.c.orig 2004-04-05 09:43:39.229983432 +0200
+++ fs/open.c 2004-04-05 09:30:04.357862824 +0200
@@ -648,7 +648,7 @@
return error;
}
-extern int chown_common(struct dentry * dentry, uid_t user, gid_t group)
+int chown_common(struct dentry * dentry, uid_t user, gid_t group)
{
struct inode * inode;
int error;
--- include/linux/fs.h.orig 2004-04-05 09:42:52.205132296 +0200
+++ include/linux/fs.h 2004-04-05 09:28:08.215519144 +0200
@@ -1139,6 +1139,7 @@
extern struct file * dentry_open(struct dentry *, struct vfsmount *, int);
extern int filp_close(struct file *, fl_owner_t id);
extern char * getname(const char __user *);
+extern int chown_common(struct dentry *, uid_t, gid_t);
/* fs/dcache.c */
extern void vfs_caches_init(unsigned long);
Am Montag, 5. April 2004 10:27 schrieb Peter Waechtler:
> With the current behavior typical server programs that switch euid
> don't dump core. This is done "for security".
> If the core file pattern exists the dump is written to but readable
> for the file owner (not necessarily root - don't argue: only chdir into
> dirs that only root can write to: think of file servers like samba)
>
> The patch below addresses this (but still not perfect).
> What I would like to see: instead of mm->dumpable=0 when calling seteuid()
> something like mm->dumpAs=root and making sure that the core is owned by
> root mode 600
>
> I could install a sighandler that calls prctl(PR_SET_DUMPABLE,1,0,0,0),
> switch euid to root, but still the formerly placed core is owned by evil
> user :(
> Then I could read the core pattern and unlink such a file - and all this
> just for the Linux platform...
>
Unlink a previously existing core.
I tried on solaris - I find the behavior (tunable with coreadm) perfect:
Switched uid? -> create as root (unlink a previously and potentially opened
core first: yes it got a new inode) then creat(O_EXCL,0600)