The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


BSD coredumps follow symlinks


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Fri, 03 Apr 1998 08:26:09 +0600 (ESD)
Date: Tue, 31 Mar 1998 17:55:40 +6500
From: Denis Papp <dpapp@CHARRON.CS.UALBERTA.CA.>
To: [email protected]
Subject: BSD coredumps follow symlinks

I have a system running BSD/OS 2.1 with all the patches from BSDi, including
K210-029 which I quote:
"This patch addresses a security problem with core dumps from setuid programs."

I don't know what this patch really does but apparently this patch does
not fix the problem where coredumps follow symlinks.  If a user knows
how to core dump any setuid root program that user can then clobber any
file on the system (/root/.rhosts, /etc/passwd, /etc/hosts.equiv,
whatever).  Furthermore if that user knows how to clobber
a setuid root program that calls getpass* then the user can get
all the shadowed passwords.

This is easy to verify by creating a simple setuid root app that core
dumps and then making a symbolic link from app.core to /root/.rhosts.
If your system accepts '+ +' anywhere in the .rhosts file you can put that
in your env to get root access.

This concerns me a great deal - apparently 'su' and 'rlogin' are
core-dumpable (although I'm not certain how).  And I wouldn't
be surprised if a few other of the standard utilities that are setuid
root are also 'core-dumpable'.

What can I do about it?  Is there a way to turn off core dumps?  That
would be a reasonable temporary fix.

--
Denis Papp                              [email protected]
                                        http://ugweb.cs.ualberta.ca/~dpapp
Much so-called 'white marble' is really Dolemite.


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру