[PATCH] setuid core dump

Add a new `suid_dumpable' sysctl: This value can be used to query and set the core dump mode for setuid or otherwise protected/tainted binaries. The modes are 0 - (default) - traditional behaviour. Any process which has changed privilege levels or is execute only will not be dumped 1 - (debug) - all processes dump core when possible. The core dump is owned by the current user and no security is applied. This is intended for system debugging situations only. Ptrace is unchecked. 2 - (suidsafe) - any binary which normally would not be dumped is dumped readable by root only. This allows the end user to remove such a dump but not access it directly. For security reasons core dumps in this mode will not overwrite one another or other files. This mode is appropriate when adminstrators are attempting to debug problems in a normal environment. (akpm: > > +EXPORT_SYMBOL(suid_dumpable); > > EXPORT_SYMBOL_GPL? No problem to me. > > if (current->euid == current->uid && current->egid == current->gid) > > current->mm->dumpable = 1; > > Should this be SUID_DUMP_USER? Actually the feedback I had from last time was that the SUID_ defines should go because its clearer to follow the numbers. They can go everywhere (and there are lots of places where dumpable is tested/used as a bool in untouched code) > Maybe this should be renamed to `dump_policy' or something. Doing that > would help us catch any code which isn't using the #defines, too. Fair comment. The patch was designed to be easy to maintain for Red Hat rather than for merging. Changing that field would create a gigantic diff because it is used all over the place. ) Signed-off-by: Alan Cox <alan@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
author: Alan Cox <alan@lxorguk.ukuu.org.uk> 2005-06-23 03:09:43 -0400
committer: Linus Torvalds <torvalds@ppc970.osdl.org> 2005-06-23 12:45:26 -0400
commit: d6e711448137ca3301512cec41a2c2ce852b3d0a (patch)
tree: f0765ebd90fdbdf270c05fcd7f3d32b24ba56681 /fs/exec.c
parent: 8b0914ea7475615c7c8965c1ac8fe4069270f25c (diff)
1 files changed, 21 insertions, 2 deletions
diff --git a/fs/exec.c b/fs/exec.c
index 3a4b35a14c0d..48871917d363 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -58,6 +58,9 @@
 int core_uses_pid;
 char core_pattern[65] = "core";
+int suid_dumpable = 0;
+EXPORT_SYMBOL(suid_dumpable);
 /* The maximal length of core_pattern is also specified in sysctl.c */
 static struct linux_binfmt *formats;
@@ -864,6 +867,9 @@ int flush_old_exec(struct linux_binprm * bprm)
        if (current->euid == current->uid && current->egid == current->gid)
                current->mm->dumpable = 1;
+        else
+                current->mm->dumpable = suid_dumpable;
        name = bprm->filename;
        /* Copies the binary name from after last slash */
@@ -884,7 +890,7 @@ int flush_old_exec(struct linux_binprm * bprm)
            permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) ||
            (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
                suid_keys(current);
-                current->mm->dumpable = 0;
+                current->mm->dumpable = suid_dumpable;
        }
        /* An exec changes our domain. We are no longer part of the thread
@@ -1432,6 +1438,8 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
        struct inode * inode;
        struct file * file;
        int retval = 0;
+        int fsuid = current->fsuid;
+        int flag = 0;
        binfmt = current->binfmt;
        if (!binfmt || !binfmt->core_dump)
@@ -1441,6 +1449,16 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
                up_write(&mm->mmap_sem);
                goto fail;
        }
+        /*
+         *      We cannot trust fsuid as being the "true" uid of the
+         *      process nor do we know its entire history. We only know it
+         *      was tainted so we dump it as root in mode 2.
+         */
+        if (mm->dumpable == 2) {        /* Setuid core dump mode */
+                flag = O_EXCL;          /* Stop rewrite attacks */
+                current->fsuid = 0;     /* Dump root private */
+        }
        mm->dumpable = 0;
        init_completion(&mm->core_done);
        spin_lock_irq(&current->sighand->siglock);
@@ -1466,7 +1484,7 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
        lock_kernel();
        format_corename(corename, core_pattern, signr);
        unlock_kernel();
-        file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600);
+        file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, 0600);
        if (IS_ERR(file))
                goto fail_unlock;
        inode = file->f_dentry->d_inode;
@@ -1491,6 +1509,7 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
 close_fail:
        filp_close(file, NULL);
 fail_unlock:
+        current->fsuid = fsuid;
        complete_all(&mm->core_done);
 fail:
        return retval;
author	Alan Cox <alan@lxorguk.ukuu.org.uk>	2005-06-23 03:09:43 -0400
committer	Linus Torvalds <torvalds@ppc970.osdl.org>	2005-06-23 12:45:26 -0400
commit	d6e711448137ca3301512cec41a2c2ce852b3d0a (patch)
tree	f0765ebd90fdbdf270c05fcd7f3d32b24ba56681 /fs/exec.c
parent	8b0914ea7475615c7c8965c1ac8fe4069270f25c (diff)