- To: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
- Subject: Re: [PATCH v3] fs: introduce pipe-only dump mode suid_dumpable=3
- From: Kees Cook <keescook@xxxxxxxxxxxx>
- Date: Fri, 22 Jun 2012 15:07:45 -0700
- Cc: linux-kernel@xxxxxxxxxxxxxxx, Alan Cox <alan@xxxxxxxxxxxxxxx>, "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>, Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>, Rob Landley <rob@xxxxxxxxxxx>, Ingo Molnar <mingo@xxxxxxxxxx>, Peter Zijlstra <peterz@xxxxxxxxxxxxx>, Doug Ledford <dledford@xxxxxxxxxx>, Marcel Holtmann <marcel@xxxxxxxxxxxx>, Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx>, Joe Korty <joe.korty@xxxxxxxx>, David Howells <dhowells@xxxxxxxxxx>, James Morris <james.l.morris@xxxxxxxxxx>, linux-doc@xxxxxxxxxxxxxxx, linux-fsdevel@xxxxxxxxxxxxxxx
- In-reply-to: <20120622145711.d7f720cd.akpm@linux-foundation.org>
On Fri, Jun 22, 2012 at 2:57 PM, Andrew Morton
<akpm@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Fri, 22 Jun 2012 14:51:54 -0700
> Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
>> > And how serious is the security vulnerability, in real-world terms?
>> > Serious enough to risk this amount of bustage?
>>
>> If they're running in mode "2" and they do not have a coredump pipe
>> handler defined, local users can gain root access.
>
> But the kernel can detect this case and avoid it? If we do that at the same
> time, we can avoid any mode=2 non-back-compatible breakage?
What? Do you mean detect if it's going to disk or to a pipe?
suid core dumps going to disk is not safe. The "mode=2" stuff was
added in an attempt to make it safe, but it has never actually be
safe. Some Linux systems with integrated crash handlers (i.e.
core_pattern with a pipe) want to catch crashes even in suid
processes, so mode=2 makes sense for them since they're handling the
core dump directly, making decisions about it, etc. However, if that
core_pattern is not a pipe, this leads to local users being able to
trick root processes into doing things to give the user root access.
mode=2 to disk _should_ break, is my point. It is not safe. Hence, my
original change to just disallow a mode=2 coredump from going to disk.
It's fine to throw it at the pipe, so leave that as-is.
-Kees
--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Other Archives]
[Linux Kernel Newbies]
[Linux Driver Development]
[Linux Kbuild]
[Fedora Kernel]
[Linux Kernel Testers]
[Linux SH]
[Linux Omap]
[Linux Tape]
[Linux Input]
[Linux Kernel Janitors]
[Linux Kernel Packagers]
[Linux Doc]
[Linux Man Pages]
[Linux API]
[Linux Memory Management]
[Linux Modules]
[Linux Standards]
[Kernel Announce]
[Netdev]
[Git]
[Linux PCI]
Linux CAN Development
[Linux I2C]
[Linux RDMA]
[Linux NUMA]
[Netfilter]
[Netfilter Devel]
[SELinux]
[Bugtraq]
[FIO]
[Linux Perf Users]
[Linux Serial]
[Linux PPP]
[Linux ISDN]
[Linux Next]
[Kernel Stable Commits]
[Linux Tip Commits]
[Kernel MM Commits]
[Linux Security Module]
[AutoFS]
[Filesystem Development]
[Ext3 Filesystem]
[Linux bcache]
[Ext4 Filesystem]
[Linux BTRFS]
[Linux CEPH Filesystem]
[Linux XFS]
[XFS]
[Linux NFS]
[Linux CIFS]
[Ecryptfs]
[Linux NILFS]
[Linux Cachefs]
[Reiser FS]
[Initramfs]
[Linux FB Devel]
[Linux OpenGL]
[DRI Devel]
[Fastboot]
[Linux RT Users]
[Linux RT Stable]
[eCos]
[Corosync]
[Linux Clusters]
[LVS Devel]
[Hot Plug]
[Linux Virtualization]
[KVM]
[KVM PPC]
[KVM ia64]
[Linux Containers]
[Linux Hexagon]
[Linux Cgroups]
[Util Linux]
[Wireless]
[Linux Bluetooth]
[Bluez Devel]
[Ethernet Bridging]
[Embedded Linux]
[Barebox]
[Linux MMC]
[Linux IIO]
[Sparse]
[Smatch]
[Linux Arch]
[x86 Platform Driver]
[Linux ACPI]
[Linux IBM ACPI]
[LM Sensors]
[CPU Freq]
[Linux Power Management]
[Linmodems]
[Linux DCCP]
[Linux SCTP]
[ALSA Devel]
[Linux USB]
[Linux PA RISC]
[Linux Samsung SOC]
[MIPS Linux]
[IBM S/390 Linux]
[ARM Linux]
[ARM Kernel]
[ARM MSM]
[Tegra Devel]
[Sparc Linux]
[Linux Security]
[Linux Sound]
[Linux Media]
[Video 4 Linux]
[Linux IRDA Users]
[Linux for the blind]
[Linux RAID]
[Linux ATA RAID]
[Device Mapper]
[Linux SCSI]
[SCSI Target Devel]
[Linux SCSI Target Infrastructure]
[Linux IDE]
[Linux SMP]
[Linux AXP]
[Linux Alpha]
[Linux M68K]
[Linux ia64]
[Linux 8086]
[Linux x86_64]
[Linux Config]
[Linux Apps]
[Linux MSDOS]
[Linux X.25]
[Linux Crypto]
[DM Crypt]
[Linux Trace Users]
[Linux Btrace]
[Linux Watchdog]
[Utrace Devel]
[Linux C Programming]
[Linux Assembly]
[Dash]
[DWARVES]
[Hail Devel]
[Linux Kernel Debugger]
[Linux gcc]
[Gcc Help]
[X.Org]
[Wine]
 |
 |
[Older Kernel Discussion]
[Yosemite National Park Forum]
[Large Format Photos]
[Gimp]
[Yosemite Photos]
[Stuff]