lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20210802144020.1d898eeaedc615776b0d2996@linux-foundation.org>
Date:   Mon, 2 Aug 2021 14:40:20 -0700
From:   Andrew Morton <akpm@...ux-foundation.org>
To:     David Oberhollenzer <david.oberhollenzer@...ma-star.at>
Cc:     viro@...iv.linux.org.uk, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, richard@...ma-star.at
Subject: Re: [PATCH] Log if a core dump is aborted due to changed file
 permissions

On Fri,  2 Jul 2021 01:31:51 +0200 David Oberhollenzer <david.oberhollenzer@...ma-star.at> wrote:

> For obvious security reasons, a core dump is aborted if the
> filesystem cannot preserve ownership or permissions of the
> dump file.
> 
> This affects filesystems like e.g. vfat, but also something like
> a 9pfs share in a Qemu test setup, running as a regular user,
> depending on the security model used. In those cases, the result
> is an empty core file and a confused user.
> 
> To hopefully safe other people a lot of time figuring out the
> cause, this patch adds a simple log message for those specific
> cases.

Seems sane.

> --- a/fs/coredump.c
> +++ b/fs/coredump.c
> @@ -782,10 +777,17 @@ void do_coredump(const kernel_siginfo_t *siginfo)
>  		 * filesystem.
>  		 */
>  		mnt_userns = file_mnt_user_ns(cprm.file);
> -		if (!uid_eq(i_uid_into_mnt(mnt_userns, inode), current_fsuid()))
> +		if (!uid_eq(i_uid_into_mnt(mnt_userns, inode),
> +			    current_fsuid())) {
> +			pr_info_ratelimited("Core dump to |%s aborted: cannot preserve file owner\n",

But why the "|%s"?  This signifies dump-to-pipe, yes?  Don't we need
the below?

--- a/fs/coredump.c~log-if-a-core-dump-is-aborted-due-to-changed-file-permissions-fix
+++ a/fs/coredump.c
@@ -784,12 +784,12 @@ void do_coredump(const kernel_siginfo_t
 		mnt_userns = file_mnt_user_ns(cprm.file);
 		if (!uid_eq(i_uid_into_mnt(mnt_userns, inode),
 			    current_fsuid())) {
-			pr_info_ratelimited("Core dump to |%s aborted: cannot preserve file owner\n",
+			pr_info_ratelimited("Core dump to %s aborted: cannot preserve file owner\n",
 					    cn.corename);
 			goto close_fail;
 		}
 		if ((inode->i_mode & 0677) != 0600) {
-			pr_info_ratelimited("Core dump to |%s aborted: cannot preserve file permissions\n",
+			pr_info_ratelimited("Core dump to %s aborted: cannot preserve file permissions\n",
 					    cn.corename);
 			goto close_fail;
 		}
_

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ