> On Mon, 4 Jan 1999, Albert D. Cahalan wrote:
>
> > Kenneth Albanowski writes:
> > > On Sun, 3 Jan 1999, Albert D. Cahalan wrote:
> > >>
> > >> World accessible with multiple connections is totally correct.
> > >> Only an exact authority match is acceptable. If you run a setuid
> > >> app and want to catch crashes, you need a setuid daemon to do it.
> > >
> > > I'm not sure that degree of precision is needed. A deamon with the uid/gid
> > > that the app was set to (as opposed to what it is running as) should be
> > > sufficient. A setuid daemon would then work too, of course.
> >
> > Bear in mind that people are trying to lock down Linux with serious
> > security, such as mandatory access control. The Coda filesystem
> > developers seem to want each login to be isolated from every other.
> >
> > Perfect matches are very reliable. Anything less is likely to
> > allow mistakes.
>
> And imperfect matches usually involve kludges to avoid touching suid
> programs and such... Yes, perfect matches make sense here. But do please
> remember that /dev/crash's security is irrelevant if you can still attach
> to a process with ptrace().
>
> > I highly doubt that root will want to steal core dumps.
> > For embedded systems, non-root simply won't run a crash handler.
> > In any case, "chmod 600 /dev/crash" if you want to steal cores.
> >
> > It is more likely that root will be too lazy to run the daemon.
> > I'd hate to rely on certain admins I know.
>
> Agreed to all.
>
> > That logic does not belong anywhere. It is overly complex.
>
> Or rather, let the user do it if they insist, but don't even think about
> it in the kernel. Yes, I agree, that was more complex then we need.
>
> > This is simple:
> >
> > 1. Look for an exact security match.
> > 2. If none, look for root.
> > 3. If not found, dump core.
> >
> > Step 2 is really for setuid programs and servers that change UID.
> > It is not intended to catch normal user processes. In fact, it
> > should just dump a standard core if it catches one by accident.
>
> Yes, this should be sufficient for the moment.
>
> --
> Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)
>
I've lost track of this thread, but I think even if not running userspace
dumper/debugger/tracer/whatever should be possible to configure kernel to
do core.usr-bin-netscrape or core.usr-bin-netscrape.23433 (pid). This was
the original issue brought up, and I think still valid. Even simple core
dumps should be given better names.
David Feuer
dfeuer@his.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/