Re: FreeBSD,rlogin and coredumps.

[dg () root com (David Greenman)]

Pointed out to me privately by several people:

> Just checked on 3.0-970209-SNAP
...
> Only saw my own password crypt but is does coredump as does ftpd.

   Yes, there was a bug in the kernel; it didn't pass the P_SUGID flag on to
the child of a fork. rlogin is rather unique in that it is setuid, forks, but
doesn't exec (which would clear out the address space). This allowed the child
to coredump if sent the appropriate signal. The coredump contains the result of
a passwd database lookup for the user's own entry. This is certainly undesired,
but it appears that the scope of the security hole is very limited.
   Anyway, as of about 5 minutes ago, this problem is fixed in -stable (which
will be FreeBSD 2.1.7 RSN), the 2.2 branch, and -current.

-DG

David Greenman
Core-team/Principal Architect, The FreeBSD Project