 | | Re: RHN icon problem [this response is regarding the CAN-2005-1263
question] | Re: RHN icon problem [this response is regarding the CAN-2005-1263
question] 2005-05-12 - By Stephen Gardner
Back
On Thu, 12 May 2005, nathan r. hruby wrote:
> On Thu, 12 May 2005, Stephen Gardner wrote:
>
>
>> Reading the changes to the Bugzilla report this particular security
>> problem can be combatted to a large extent with a temporary workaround by
>> include "ulimit -c 0" early in the system start-up scripts (eg
>> rc.sysinit).
>>
>
> This is actually done in /etc/profile, plus several startup scripts.
>
> Ironically, /etc/csh.login does the complete opposite, setting coredumpsize
> to unlimited.
>
> But, since a user can just change this with ulimit, it's seemingly
> possible that any exploit would also do similarly. Is there a system wide
> default to enable/disable coredumps? My quick Google yielded nothing and
> I swear this already crossed the list but I can't seem to find the post.
>
> Thanks!
>
> -n
> --
I'm just passing on what the Bugzilla report mentioned. I guess putting
it in /etc/rc.sysinit is to help protect against core dumping as root
during start-up. You can prevent the changing of the core dump size for
users by adding
* hard core 0
to /etc/security/limits.conf. Once enforced users get the following
[stephen@(protected) ~]$ ulimit -c # displays current limit
0
[stephen@(protected) ~]$ ulimit -c 1000 # attempt to change limit
-bash: ulimit: core file size: cannot modify limit: Operation not permitted
Regards,
Stephen
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
Earn $52 per hosting referral at Lunarpages.
|
|
|