Discussion:
coredumps disallowed when creds are changed?
Ravi Pokala
2018-10-08 21:31:22 UTC
Permalink
Greetings hackers.
By default, a process that changes user or group credentials whether real or effective will not create a corefile. This behaviour can be changed to generate a core dump by setting the sysctl(8) variable kern.sugid_coredump to 1.
Can someone explain why?

Thanks,

Ravi (rpokala@)
Eugene Grosbein
2018-10-08 22:33:31 UTC
Permalink
Post by Ravi Pokala
Greetings hackers.
By default, a process that changes user or group credentials
whether real or effective will not create a corefile.
This behaviour can be changed to generate a core dump by setting the sysctl(8) variable kern.sugid_coredump to 1.
Can someone explain why?
Real/effective user/group id often are changed for a process started
by non-privilegied user running set[ug]id binary like csh/chpass/passwd(1)
that can read sensitive system data similar to /etc/master.passwd
containing password hashes. If such utility reads sensitive data
and then crashes due to a bug, its coredump may leak data to unexpected places
of file system like /home partition, then go to a dump/backup of file system,
get uploaded offsite as part of backup etc. That should not happen by default.
Ravi Pokala
2018-10-08 22:48:39 UTC
Permalink
-----Original Message-----
From: Eugene Grosbein <***@grosbein.net>
Date: 2018-10-08, Monday at 15:33
To: Ravi Pokala <***@freebsd.org>, "freebsd-***@freebsd.org" <freebsd-***@freebsd.org>
Subject: Re: coredumps disallowed when creds are changed?
Post by Eugene Grosbein
Post by Ravi Pokala
Greetings hackers.
By default, a process that changes user or group credentials
whether real or effective will not create a corefile.
This behaviour can be changed to generate a core dump by setting the sysctl(8) variable kern.sugid_coredump to 1.
Can someone explain why?
Real/effective user/group id often are changed for a process started
by non-privilegied user running set[ug]id binary like csh/chpass/passwd(1)
that can read sensitive system data similar to /etc/master.passwd
containing password hashes. If such utility reads sensitive data
and then crashes due to a bug, its coredump may leak data to unexpected places
of file system like /home partition, then go to a dump/backup of file system,
get uploaded offsite as part of backup etc. That should not happen by default.
That makes perfect sense. Thanks Eugene!

-Ravi (rpokala@)

Loading...