OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Sep) 1994: Re: Sending escape sequences to xterms via wall/talk

Re: Sending escape sequences to xterms via wall/talk

Christopher A. Stewart (stewartnetworx.com)
Fri, 22 Jul 1994 03:31:58 +0800

>>>>> "Paul" == Paul Daw <pauldpyramid.com> writes:

    Paul> On Jul 21, 2:21, "Christopher A. Stewart" wrote:
    >> Subject: Re: Sending escape sequences to xterms via wall/talk
    >> >>>>> "Mike" == Mike Raffety <mike_raffetyil.us.swissbank.com>
    >> writes:
    >> 
    Mike> setuid programs don't produce core dumps; it's a security
    Mike> feature.
    >>  Huh? What *NIX are you using? I've not noticed that behavior..
    >> 
    >> -- End of excerpt from "Christopher A. Stewart"

    Paul> Hmm.  I didn't think that this was the case either, but I
    Paul> just tried it (on a Pyramid MIS-T,) and I can't get any suid
    Paul> programs to dump core.  Using the same test cases, non-suid
    Paul> programs dump core dependably.

    Paul> This makes sense if you think about it.  Suppose I was
    Paul> running /bin/passwd, I had just entered in my password, and
    Paul> then passwd core dumped for some reason.  The core image
    Paul> would have my clear text password stored in it.

    Paul> Of course, one could argue that the core should still be
    Paul> dumped, but be mode 400 and owned by the suid owner, but
    Paul> that isn't happening, at least in my case.

There is at least one circumstance in which you can get a core from a
setuid program, at least on Solaris and probably SunOS. I was fairly
certain of this, as I've worked on programs that where setuid, and
used core files to do some debugging.. Since it was in this context, I
never encounted the security feature..

I just verified in on Solaris by doing the following.. The subject of
the expreiment was the zcat incarnation of gzip from gnu.. I setuid
zcat to myself and then did 'zcat -f' and hit it with the quit
character from the keyboard. It produced a core if I was myself, but
didn't if I was any other user (including root). 

Sorry for wasting bandwidth on this.. I responded based on a limited
set of experiances..

-- 
----------------------------------------------------------------------
Christopher A. Stewart       | (Standard disclaimers are in effect)
System/Network Adminstrator  |
Legent Corp. Networx Div.    |
Bellevue, Wa. 98004          |
Voice (206)-688-2154         |
Fax (206)-688-2050           |