From: Michael Sinz <msinz@wgate.com>
To: Peter Waltenberg <pwalten@au1.ibm.com>
Cc: Linux Kernel List <linux-kernel@vger.kernel.org>
Subject: Re: Core dump
Date: Fri, 15 Feb 2002 22:24:29 -0500 [thread overview]
Message-ID: <3C6DD0ED.E2D31059@wgate.com> (raw)
In-Reply-To: <OF615DC251.A04042B9-ON4A256B61.007D0561-4A256B61.007D5D7B@au.ibm.com>
Peter Waltenberg wrote:
>
> Whats to stop someone creating a process (or a nodename) with an inspired
> (tm) name, and trashing or overwriting system files ?
>
> %P The Process ID (current->pid)
> %U The UID of the process (current->uid)
> %N The command name of the process (current->comm)
> %H The nodename of the system (system_utsname.nodename)
> %% A "%"
>
> The flexibility is nice, but can you PROVE it doesn't have holes like that
> ?
Actually - yes.
First, I can not prevent some system admin from making the core pattern
a bad pattern. For example, a pattern of /usr/bin/%N would be a bad thing (tm)
However, as long as the system admin (who is the person who can set the pattern)
does not do that, the code prevents a rouge name (hostname or command name)
from causing problems.
(I prevent the use of "/" in either the hostname or command name, for example)
I have tried most everything I could think of. And, since the host name is
usually not setable by non-root, it makes it even less likely.
In fact, with a pattern like /corefiles/%H-%N-%P.core, there is even less
likelyhood that a coredump can cause problems since I can make the /corefiles
partition its own location and thus coredumps will not write to the key
filesystem.
BTW - both FreeBSD and OpenBSD have a simular format (I took my insperation
from FreeBSD, which I always liked better since the default there is %N.core)
> Just about everything we've had with variable logfile names has had holes
> like that. Samba is one of the more recent examples.
The key is to filter certain characters. Mostly the '/' in any of the
variables.
However, there is always the problem of someone with root access making
a bad setting in the sysctl. But then, if they have root, they don't
need to set some sysctl in order to cause damage.
--
Michael Sinz ---- Worldgate Communications ---- msinz@wgate.com
A master's secrets are only as good as
the master's ability to explain them to others.
parent reply other threads:[~2002-02-16 3:24 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <OF615DC251.A04042B9-ON4A256B61.007D0561-4A256B61.007D5D7B@au.ibm.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3C6DD0ED.E2D31059@wgate.com \
--to=msinz@wgate.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pwalten@au1.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox