[6448] in bugtraq
Re: BSD coredumps follow symlinks
daemon@ATHENA.MIT.EDU (Ronny Cook)
Mon Apr 6 01:20:54 1998
Date: Mon, 6 Apr 1998 11:16:04 +1000
Reply-To: Ronny Cook <ronny@TMX.COM.AU>
From: Ronny Cook <ronny@TMX.COM.AU>
To: BUGTRAQ@NETSPACE.ORG
> lpr will dump core if there is no symlink there. Maybe you failed to
> install the patch correctly?
If I recall rightly, the first patch disabled the most obvious attacks, but
allowed a core dump for a setuid program across a symbolic link *if* the file
existed and had 600 permissions (and was owned by the appropriate user).
Unfortunately, certain sensitive files (such as /etc/master.passwd) fit
these conditions. Thus the later patch under 3.0, which disabled *any*
core dump across a symbolic link for *any* setuid program.
Nir's test was only for a nonexistent file, which the earlier patch handles
correctly. Unfortunately, in doing so it opens the other security hole
which was later patched under 3.0.
...Ronny
--
Ronald Cook, Technical Manager - Message Handling Systems/The Message eXchange
Email: ronny@tmx.com.au ----- Phone: +61-2-9550-4448 ---- Fax: +61-2-9519-2551
All opinions are my own and not those of TMX unless explicitly stated otherwise.
