Re: [PATCH] fs: make dumpable=2 only write to a pipe

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On Thu, Jun 21, 2012 at 2:18 PM, Alan Cox <alan@xxxxxxxxxxxxxxxxxxx> wrote:
> On Thu, 21 Jun 2012 12:43:19 -0700
> Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>> When the suid_dumpable sysctl is set to "2", and there is no
>> core dump pipe defined in the core_pattern sysctl, a local user
>> can cause core files to be written to root-writable directories,
>> potentially with user-controlled content. This means an admin
>> can unknowningly reintroduce a variation of CVE-2006-2451 (see
>> abf75a5033d4da7b8a7e92321d74021d1fcfb502).
> Its intended to work the way it does. It's also ABI. I think pipe-only is
> a really good idea. Likewise I accept with the pipe feature nowdays there
> is a good case to kill off case 2.
> However I don't think magically turning one into the other is sensible,
> in fact its *stupid* IMHO because it's asking systems to get unexpected
> behaviour.
> I would much rather see case 2 either left as is, or set to return
> -EINVAL (or similar) and a new case 3 for pipe only.

If mode 2 switches to -EINVAL, setuid dumps won't be written to disk,
and won't go to pipes. If mode 2 switches to pipe-only, only disk
dumps go missing. Either change seems like a break from the prior
behavior, but the latter seems the least disruptive to me.

I'm happy to go the -EINVAL route and add mode 3 (which will just be
mode 2 renamed) if that really is more acceptable.


Kees Cook
Chrome OS Security
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

[Site Home]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Photo]     [Yosemite]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux