Bugtraq mailing list archives

Re: Tracing by uid u after root does setuid(u)

From: darren.moffat () UK Sun COM (Darren J Moffat - Enterprise Services OS Product Support Group)
Date: Fri, 15 Jan 1999 09:53:44 +0000

Perhaps the Sun kernel developers aren't aware that it's bad to allow
tracing after a program changes uid, but obviously they are aware that
it's bad to allow tracing of an unreadable program. In fact, the /proc
documentation identifies this as a security measure.


Just to complete the information of the state of Solaris 2.x and
core dumps.

This has long been fixed in Solaris.  (I think it was fixed before
2.6 was released; there's a patch for Solaris 2.5.1 also)


The relevant bug is: 4042883

Patch for 2.5.1 is the kernel update (103640) at rev 13 or higher.
It is integrated into 2.6, without patches.

Since the patch, programs that are set-uid, call set*uid or set*gid cannot
be traced and cannot dump core.  (Which upset yet another batch of
customers so there's an option in Solaris 7 to make set-uid programs
dump core if the kernel is so configured)


No core dump can be created ...

1. If the resource limit RLIMIT_CORE has been set to 0 for the process.
   Refer to setrlimit(2) and ulimit(1) for more on this.

2. If the file "core" exists in the current directory and is not a regular
   file (i.e. is a symlink, block or character special-file, etc)

3. If the current directory is part of a filesystem which is mounted read-only

4. If the file "core" exists in the current directory and is not writeable
   to the user-id associated with the process trying to dump core.

5. In Solaris 7, if the kernel cannot open the file "core" in the
   current directory O_EXCL, which might happen if another process is trying
   to dump core there at the same time.

6. If the process is setuid or setgid or has changed its uid or gid (by
   virtue of being root and executing any of the set*id(2) system calls).
   As Casper pointed out this upset some people so, In Solaris 7 these
   processes can be granted permission to dump core (at the risk of
   compromising secure data) by setting allow_setid_core to 1 in /etc/system,
   note that this is system wide so all set*id() programs will now be able
   to dump core, there is no facility to specify which programs.



--
Darren J Moffat

Current thread:

Re: Tracing by uid u after root does setuid(u) Darren J Moffat - Enterprise Services OS Product Support Group (Jan 15)
- <Possible follow-ups>
- Re: Tracing by uid u after root does setuid(u) D. J. Bernstein (Jan 16)