Date: Tue, 31 Mar 1998 17:55:40 +6500 From: Abunz Hacx
Subject: BSD coredumps follow symlinks I have a system running BSD/OS 2.1 with all the
patches from BSDi, including K210-029 which I quote: "This patch addresses a security problem
with core dumps from setuid programs." I don't know what this patch really does but apparently
this patch does not fix the problem where coredumps follow symlinks. If a user knows how to
core dump any setuid root program that user can then clobber any file on the system
(/root/.rhosts, /etc/passwd, /etc/hosts.equiv, whatever). Furthermore if that user knows how to
clobber a setuid root program that calls getpass* then the user can get all the shadowed
passwords. This is easy to verify by creating a simple setuid root app that core dumps and then
making a symbolic link from app.core to /root/.rhosts. If your system accepts '+ +' anywhere in
the .rhosts file you can put that in your env to get root access. This concerns me a great deal -
apparently 'su' and 'rlogin' are core-dumpable (although I'm not certain how). And I wouldn't be
surprised if a few other of the standard utilities that are setuid root are also 'core-dumpable'.
What can I do about it? Is there a way to turn off core dumps? That would be a reasonable
temporary fix. -- Abunz Hacx Hacx@mailcity.com http://www.geocities.com/Athens/Troy/6211 Pheww..
a day. 