headers
Kees Cook | 21 Jun 2012 21:43

[PATCH] fs: make dumpable=2 only write to a pipe

When the suid_dumpable sysctl is set to "2", and there is no
core dump pipe defined in the core_pattern sysctl, a local user
can cause core files to be written to root-writable directories,
potentially with user-controlled content. This means an admin
can unknowningly reintroduce a variation of CVE-2006-2451 (see
abf75a5033d4da7b8a7e92321d74021d1fcfb502).

$ cat /proc/sys/fs/suid_dumpable
2
$ cat /proc/sys/kernel/core_pattern
core
$ ulimit -c unlimited
$ cd /
$ ls -l core
ls: cannot access core: No such file or directory
$ touch core
touch: cannot touch `core': Permission denied
$ OHAI="evil-string-here" ping localhost >/dev/null 2>&1 &
$ pid=$1
$ sleep 1
$ kill -SEGV $pid
$ ls -l core
-rw------- 1 root kees 458752 Jun 21 11:35 core
$ sudo strings core | grep evil
OHAI=evil-string-here

While cron has been fixed to abort reading a file when there is any
parse error, there are still other sensitive directories that will read
any file present and skip unparsable lines.
(Continue reading)

Permalink | Reply |
headers
Alan Cox | 21 Jun 2012 23:18
Face
Picon

Re: [PATCH] fs: make dumpable=2 only write to a pipe

On Thu, 21 Jun 2012 12:43:19 -0700
Kees Cook <keescook <at> chromium.org> wrote:

> When the suid_dumpable sysctl is set to "2", and there is no
> core dump pipe defined in the core_pattern sysctl, a local user
> can cause core files to be written to root-writable directories,
> potentially with user-controlled content. This means an admin
> can unknowningly reintroduce a variation of CVE-2006-2451 (see
> abf75a5033d4da7b8a7e92321d74021d1fcfb502).

Its intended to work the way it does. It's also ABI. I think pipe-only is
a really good idea. Likewise I accept with the pipe feature nowdays there
is a good case to kill off case 2.

However I don't think magically turning one into the other is sensible,
in fact its *stupid* IMHO because it's asking systems to get unexpected
behaviour.

I would much rather see case 2 either left as is, or set to return
-EINVAL (or similar) and a new case 3 for pipe only.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Permalink | Reply |
headers
Kees Cook | 22 Jun 2012 00:03

Re: [PATCH] fs: make dumpable=2 only write to a pipe

On Thu, Jun 21, 2012 at 2:18 PM, Alan Cox <alan <at> lxorguk.ukuu.org.uk> wrote:
> On Thu, 21 Jun 2012 12:43:19 -0700
> Kees Cook <keescook <at> chromium.org> wrote:
>
>> When the suid_dumpable sysctl is set to "2", and there is no
>> core dump pipe defined in the core_pattern sysctl, a local user
>> can cause core files to be written to root-writable directories,
>> potentially with user-controlled content. This means an admin
>> can unknowningly reintroduce a variation of CVE-2006-2451 (see
>> abf75a5033d4da7b8a7e92321d74021d1fcfb502).
>
> Its intended to work the way it does. It's also ABI. I think pipe-only is
> a really good idea. Likewise I accept with the pipe feature nowdays there
> is a good case to kill off case 2.
>
> However I don't think magically turning one into the other is sensible,
> in fact its *stupid* IMHO because it's asking systems to get unexpected
> behaviour.
>
> I would much rather see case 2 either left as is, or set to return
> -EINVAL (or similar) and a new case 3 for pipe only.

If mode 2 switches to -EINVAL, setuid dumps won't be written to disk,
and won't go to pipes. If mode 2 switches to pipe-only, only disk
dumps go missing. Either change seems like a break from the prior
behavior, but the latter seems the least disruptive to me.

I'm happy to go the -EINVAL route and add mode 3 (which will just be
mode 2 renamed) if that really is more acceptable.
(Continue reading)

Permalink | Reply |

Gmane