"core dump helper" runs always as root

From: Christian Perle
Date: Tue Jun 03 2008 - 15:00:53 EST

Next message: Jeff Dike: "[PATCH 2/6] UML - Remove a duplicate include"
Previous message: Max Krasnyanskiy: "Re: Submitting fixes for bugs: Re: tun device patch for IPv6"
Next in thread: Chris Snook: "Re: "core dump helper" runs always as root"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi *

I recently played around with the /proc/sys/kernel/core_pattern file
(2.6.24.7 and 2.6.25) and found out that processes started by the
"|/path/to/executable" notation always run as root, even if the
segfaulting process runs as non-root.

Is there a reason for this behaviour? If not, i would suggest starting the
process which receives the core dump on stdin as the same UID of the
segfaulting process.

With the current behaviour you can do funny things:

(as root)
# echo "|/bin/chmod 4755 /bin/ash" > /proc/sys/kernel/core_pattern

(as user)
$ sleep 2 & kill -11 $!

Of course this is *not* a local root exploit because you need to be root
to write to the proc entry, but IMHO running the "core dump helper" (is
there a better name for this?) always as root is potentially harmful.

Greetings,
Chris
--
Christian Perle chris AT linuxinfotag.de
010111 http://chris.silmor.de/
101010 LinuxGuitarKitesBicyclesBeerPizzaRaytracing
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jeff Dike: "[PATCH 2/6] UML - Remove a duplicate include"
Previous message: Max Krasnyanskiy: "Re: Submitting fixes for bugs: Re: tun device patch for IPv6"
Next in thread: Chris Snook: "Re: "core dump helper" runs always as root"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]