Can a SUID program dump core
John F Haugh II
jfh at rpp386.cactus.org
Fri Mar 29 16:33:47 AEST 1991
In article <30833 at ucsd.Edu> brian at ucsd.Edu (Brian Kantor) writes:
>Yes, a suid program will drop a core file upon fault if the ruid and
>euid, and rgid and egid are equal.
... which is a security hole.
consider a program, let's call it "su", that reads privileged
information (encrypted passwords from /etc/shadow) and does something
(sets the real and effective uid's to the uid value from the password
file). if the only check that is made is if the program currently
has differing real and effective user id's, i can get a part of the
shadowed password file potentially by su'ing to myself and core
dumping "su" between the time it does the setuid to my uid and the
time it exec's the new shell. this has been done ...
the moral of the story is that no program which was ever set-uid
should =ever= be allowed to dump core.
--
John F. Haugh II | Distribution to | UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 832-8832 | GEnie PROHIBITED :-) | Domain: jfh at rpp386.cactus.org
"I want to be Robin to Bush's Batman."
-- Vice President Dan Quayle
More information about the Comp.unix.wizards
mailing list