diff options
author | Kees Cook <keescook@chromium.org> | 2012-07-30 17:39:15 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-07-30 20:25:11 -0400 |
commit | 9520628e8ceb69fa9a4aee6b57f22675d9e1b709 (patch) | |
tree | c8e1dbd5820e818eef930cf55cbd94dec941eb44 /Documentation | |
parent | 779302e67835fe9a6b74327e54969ba59cb3478a (diff) |
fs: make dumpable=2 require fully qualified path
When the suid_dumpable sysctl is set to "2", and there is no core dump
pipe defined in the core_pattern sysctl, a local user can cause core files
to be written to root-writable directories, potentially with
user-controlled content.
This means an admin can unknowningly reintroduce a variation of
CVE-2006-2451, allowing local users to gain root privileges.
$ cat /proc/sys/fs/suid_dumpable
2
$ cat /proc/sys/kernel/core_pattern
core
$ ulimit -c unlimited
$ cd /
$ ls -l core
ls: cannot access core: No such file or directory
$ touch core
touch: cannot touch `core': Permission denied
$ OHAI="evil-string-here" ping localhost >/dev/null 2>&1 &
$ pid=$!
$ sleep 1
$ kill -SEGV $pid
$ ls -l core
-rw------- 1 root kees 458752 Jun 21 11:35 core
$ sudo strings core | grep evil
OHAI=evil-string-here
While cron has been fixed to abort reading a file when there is any
parse error, there are still other sensitive directories that will read
any file present and skip unparsable lines.
Instead of introducing a suid_dumpable=3 mode and breaking all users of
mode 2, this only disables the unsafe portion of mode 2 (writing to disk
via relative path). Most users of mode 2 (e.g. Chrome OS) already use
a core dump pipe handler, so this change will not break them. For the
situations where a pipe handler is not defined but mode 2 is still
active, crash dumps will only be written to fully qualified paths. If a
relative path is defined (e.g. the default "core" pattern), dump
attempts will trigger a printk yelling about the lack of a fully
qualified path.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Alan Cox <alan@linux.intel.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Doug Ledford <dledford@redhat.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>
Cc: James Morris <james.l.morris@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/sysctl/fs.txt | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt index 13d6166d7a27..8c235b6e4246 100644 --- a/Documentation/sysctl/fs.txt +++ b/Documentation/sysctl/fs.txt | |||
@@ -163,16 +163,22 @@ This value can be used to query and set the core dump mode for setuid | |||
163 | or otherwise protected/tainted binaries. The modes are | 163 | or otherwise protected/tainted binaries. The modes are |
164 | 164 | ||
165 | 0 - (default) - traditional behaviour. Any process which has changed | 165 | 0 - (default) - traditional behaviour. Any process which has changed |
166 | privilege levels or is execute only will not be dumped | 166 | privilege levels or is execute only will not be dumped. |
167 | 1 - (debug) - all processes dump core when possible. The core dump is | 167 | 1 - (debug) - all processes dump core when possible. The core dump is |
168 | owned by the current user and no security is applied. This is | 168 | owned by the current user and no security is applied. This is |
169 | intended for system debugging situations only. Ptrace is unchecked. | 169 | intended for system debugging situations only. Ptrace is unchecked. |
170 | This is insecure as it allows regular users to examine the memory | ||
171 | contents of privileged processes. | ||
170 | 2 - (suidsafe) - any binary which normally would not be dumped is dumped | 172 | 2 - (suidsafe) - any binary which normally would not be dumped is dumped |
171 | readable by root only. This allows the end user to remove | 173 | anyway, but only if the "core_pattern" kernel sysctl is set to |
172 | such a dump but not access it directly. For security reasons | 174 | either a pipe handler or a fully qualified path. (For more details |
173 | core dumps in this mode will not overwrite one another or | 175 | on this limitation, see CVE-2006-2451.) This mode is appropriate |
174 | other files. This mode is appropriate when administrators are | 176 | when administrators are attempting to debug problems in a normal |
175 | attempting to debug problems in a normal environment. | 177 | environment, and either have a core dump pipe handler that knows |
178 | to treat privileged core dumps with care, or specific directory | ||
179 | defined for catching core dumps. If a core dump happens without | ||
180 | a pipe handler or fully qualifid path, a message will be emitted | ||
181 | to syslog warning about the lack of a correct setting. | ||
176 | 182 | ||
177 | ============================================================== | 183 | ============================================================== |
178 | 184 | ||