I noticed a design error similar to CVE-2007-6206 in DragonFly BSD. It is reported that OpenBSD and FreeBSD exhibit the same.
My suggested patch:
--- kern_sig.c 2008-02-14 13:41:12.000000000 +0800
+++ kern_sig-20080216.c 2008-02-16 01:15:01.000000000 +0800
@@ -2066,6 +2066,12 @@ coredump(struct lwp *lp, int sig)
goto out1;
}
+ /* Don't dump to files current user does not own */
+ if (vattr.va_uid != p->p_ucred->cr_uid) {
+ error = EFAULT;
+ goto out1;
+ }
+
VATTR_NULL(&vattr);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
vattr.va_size = 0;
A DragonFly BSD developer asked me if they should rather remove the file and recreate a new file which then will be owned by root. In my opinion checking for ownership is better and safer. We are avoiding other possible bugs e.g. allowing to read files you don't own but resides on a directory you own. I also find my fix more compact.
By the way as seen in my patch, we wouldn't want to hard code != 0 because DragonFly may implement a type enforcement system or authorization framework in the near future.
