• Kees Cook's avatar
    fs: make dumpable=2 require fully qualified path · 9520628e
    Kees Cook authored
    When the suid_dumpable sysctl is set to "2", and there is no core dump
    pipe defined in the core_pattern sysctl, a local user can cause core files
    to be written to root-writable directories, potentially with
    user-controlled content.
    
    This means an admin can unknowningly reintroduce a variation of
    CVE-2006-2451, allowing local users to gain root privileges.
    
      $ cat /proc/sys/fs/suid_dumpable
      2
      $ cat /proc/sys/kernel/core_pattern
      core
      $ ulimit -c unlimited
      $ cd /
      $ ls -l core
      ls: cannot access core: No such file or directory
      $ touch core
      touch: cannot touch `core': Permission denied
      $ OHAI="evil-string-here" ping localhost >/dev/null 2>&1 &
      $ pid=$!
      $ sleep 1
      $ kill -SEGV $pid
      $ ls -l core
      -rw------- 1 root kees 458752 Jun 21 11:35 core
      $ sudo strings core | grep evil
      OHAI=evil-string-here
    
    While cron has been fixed to abort reading a file when there is any
    parse error, there are still other sensitive directories that will read
    any file present and skip unparsable lines.
    
    Instead of introducing a suid_dumpable=3 mode and breaking all users of
    mode 2, this only disables the unsafe portion of mode 2 (writing to disk
    via relative path).  Most users of mode 2 (e.g.  Chrome OS) already use
    a core dump pipe handler, so this change will not break them.  For the
    situations where a pipe handler is not defined but mode 2 is still
    active, crash dumps will only be written to fully qualified paths.  If a
    relative path is defined (e.g.  the default "core" pattern), dump
    attempts will trigger a printk yelling about the lack of a fully
    qualified path.
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: Alan Cox <alan@linux.intel.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Doug Ledford <dledford@redhat.com>
    Cc: Serge Hallyn <serge.hallyn@canonical.com>
    Cc: James Morris <james.l.morris@oracle.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    9520628e
fs.txt 9.52 KB