| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20080603182040.GB20582@silmor.de> Date: Tue, 3 Jun 2008 20:20:40 +0200 From: Christian Perle <chris@...uxinfotag.de> To: linux-kernel@...r.kernel.org Subject: "core dump helper" runs always as root Hi * I recently played around with the /proc/sys/kernel/core_pattern file (2.6.24.7 and 2.6.25) and found out that processes started by the "|/path/to/executable" notation always run as root, even if the segfaulting process runs as non-root. Is there a reason for this behaviour? If not, i would suggest starting the process which receives the core dump on stdin as the same UID of the segfaulting process. With the current behaviour you can do funny things: (as root) # echo "|/bin/chmod 4755 /bin/ash" > /proc/sys/kernel/core_pattern (as user) $ sleep 2 & kill -11 $! Of course this is *not* a local root exploit because you need to be root to write to the proc entry, but IMHO running the "core dump helper" (is there a better name for this?) always as root is potentially harmful. Greetings, Chris -- Christian Perle chris AT linuxinfotag.de 010111 http://chris.silmor.de/ 101010 LinuxGuitarKitesBicyclesBeerPizzaRaytracing -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists