2002-02-16 03:24:59

by Michael Sinz

[permalink] [raw]
Subject: Re: Core dump

Peter Waltenberg wrote:
>
> Whats to stop someone creating a process (or a nodename) with an inspired
> (tm) name, and trashing or overwriting system files ?
>
> %P The Process ID (current->pid)
> %U The UID of the process (current->uid)
> %N The command name of the process (current->comm)
> %H The nodename of the system (system_utsname.nodename)
> %% A "%"
>
> The flexibility is nice, but can you PROVE it doesn't have holes like that
> ?

Actually - yes.

First, I can not prevent some system admin from making the core pattern
a bad pattern. For example, a pattern of /usr/bin/%N would be a bad thing (tm)

However, as long as the system admin (who is the person who can set the pattern)
does not do that, the code prevents a rouge name (hostname or command name)
from causing problems.

(I prevent the use of "/" in either the hostname or command name, for example)

I have tried most everything I could think of. And, since the host name is
usually not setable by non-root, it makes it even less likely.

In fact, with a pattern like /corefiles/%H-%N-%P.core, there is even less
likelyhood that a coredump can cause problems since I can make the /corefiles
partition its own location and thus coredumps will not write to the key
filesystem.

BTW - both FreeBSD and OpenBSD have a simular format (I took my insperation
from FreeBSD, which I always liked better since the default there is %N.core)

> Just about everything we've had with variable logfile names has had holes
> like that. Samba is one of the more recent examples.

The key is to filter certain characters. Mostly the '/' in any of the
variables.

However, there is always the problem of someone with root access making
a bad setting in the sysctl. But then, if they have root, they don't
need to set some sysctl in order to cause damage.

--
Michael Sinz ---- Worldgate Communications ---- [email protected]
A master's secrets are only as good as
the master's ability to explain them to others.