I don't know what this patch really does but apparently this patch does
not fix the problem where coredumps follow symlinks. If a user knows
how to core dump any setuid root program that user can then clobber any
file on the system (/root/.rhosts, /etc/passwd, /etc/hosts.equiv,
whatever). Furthermore if that user knows how to clobber
a setuid root program that calls getpass* then the user can get
all the shadowed passwords.
This is easy to verify by creating a simple setuid root app that core
dumps and then making a symbolic link from app.core to /root/.rhosts.
If your system accepts '+ +' anywhere in the .rhosts file you can put that
in your env to get root access.
This concerns me a great deal - apparently 'su' and 'rlogin' are
core-dumpable (although I'm not certain how). And I wouldn't
be surprised if a few other of the standard utilities that are setuid
root are also 'core-dumpable'.
What can I do about it? Is there a way to turn off core dumps? That
would be a reasonable temporary fix.
--
Denis Papp dpapp@cs.ualberta.ca
http://ugweb.cs.ualberta.ca/~dpapp
Much so-called 'white marble' is really Dolemite.