Date: Thu, 22 Apr 2004 12:53:17 -0700
From: Chris Wright <chrisw@osdl.org>
To: =?iso-8859-1?Q?Peter_W=E4chtler?= <pwaechtler@mac.com>
Cc: Andrew Morton <akpm@osdl.org>, linux-kernel@vger.kernel.org,
       torvalds@osdl.org
Subject: Re: [PATCH] coredump - as root not only if euid switched
Message-ID: <20040422125317.Q22989@build.pdx.osdl.net>
References: <2899705.1082626850875.JavaMail.pwaechtler@mac.com> <20040422025638.0bf86599.akpm@osdl.org> <1082663036.2592.1.camel@picklock.adams.family>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.2.5i
In-Reply-To: <1082663036.2592.1.camel@picklock.adams.family>; from pwaechtler@mac.com on Thu, Apr 22, 2004 at 09:43:57PM +0200
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1037
Lines: 27

* Peter W?chtler (pwaechtler@mac.com) wrote:
> Am Do, 2004-04-22 um 11.56 schrieb Andrew Morton:
> > Peter Waechtler <pwaechtler@mac.com> wrote:
> > >
> > >  >(why are you trying to unlink the old file anyway?)
> > >  >
> > > 
> > >  For security measure :O
> > >  I tried on solaris: touch the core file as user, open it and wait, dump core
> > >  as root -> nope, couldn't read the damn core - it was unlinked and created!
> > 
> > hm, OK.  There's a window in which someone can come in and recreate the
> > file, but the open is using O_EXCL|O_CREATE so that seems safe enough.
> 
> So here is the updated patch with an open coded call to sys_unlink

This patch breaks various ptrace() checks.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/