I have a system running BSD/OS 2.1 with all the patches from BSDi, including K210-029 which I quote: "This patch addresses a security problem with core dumps from setuid programs." I don't know what this patch really does but apparently this patch does not fix the problem where coredumps follow symlinks. If a user knows how to core dump any setuid root program that user can then clobber any file on the system (/root/.rhosts, /etc/passwd, /etc/hosts.equiv, whatever). Furthermore if that user knows how to clobber a setuid root program that calls getpass* then the user can get all the shadowed passwords. This is easy to verify by creating a simple setuid root app that core dumps and then making a symbolic link from app.core to /root/.rhosts. If your system accepts '+ +' anywhere in the .rhosts file you can put that in your env to get root access. This concerns me a great deal - apparently 'su' and 'rlogin' are core-dumpable (although I'm not certain how). And I wouldn't be surprised if a few other of the standard utilities that are setuid root are also 'core-dumpable'. What can I do about it? Is there a way to turn off core dumps? That would be a reasonable temporary fix. -- Denis Papp dpappat_private http://ugweb.cs.ualberta.ca/~dpapp Much so-called 'white marble' is really Dolemite.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:47:42 PDT