Re: [PATCH] coredump - as root not only if euid switched

From: Andrew Morton
Date: Wed Apr 21 2004 - 20:20:22 EST


Peter Wächtler <pwaechtler@xxxxxxx> wrote:
>
> While it's more secure to not dump core at all if the program has
> switched euid, it's also very unpractical. Since only programs
> started from root, being setuid root or have CAP_SETUID it's far
> more practical to dump as root.root mode 600. This is the bahavior
> of Solaris.
>
> The current implementation does not ensure that an existing core
> file is only readable as root, i.e. after dumping the ownership
> and mode is unchanged.
>
> Besides mm->dumpable to avoid recursive core dumps, on setuid files
> the dumpable flag still prevents a core dump while seteuid & co will
> result in a core only readable as root.

It's a bit sad to add another function call level to sys_unlink() simply
because the core dumping code needs it.

Is it not possible to call sys_unlink() directly from there? Something like

long kernel_unlink(const char *name)
{
mm_segment_t old_fs = get_fs();
long ret;

set_fs(KERNEL_DS);
ret = sys_unlink(name);
set_fs(old_fs);
return ret;
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/