"core dump helper" runs always as root

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Christian Perle

Subject: "core dump helper" runs always as root

Date: Tuesday, June 3, 2008 - 11:20 am

Hi *

I recently played around with the /proc/sys/kernel/core_pattern file
(2.6.24.7 and 2.6.25) and found out that processes started by the
"|/path/to/executable" notation always run as root, even if the
segfaulting process runs as non-root.

Is there a reason for this behaviour? If not, i would suggest starting the
process which receives the core dump on stdin as the same UID of the
segfaulting process.

With the current behaviour you can do funny things:

(as root)
# echo "|/bin/chmod 4755 /bin/ash" > /proc/sys/kernel/core_pattern

(as user)
$ sleep 2 & kill -11 $!

Of course this is *not* a local root exploit because you need to be root
to write to the proc entry, but IMHO running the "core dump helper" (is
there a better name for this?) always as root is potentially harmful.


Greetings,
  Chris
-- 
Christian Perle                                    chris AT linuxinfotag.de
010111                                              http://chris.silmor.de/
101010                          LinuxGuitarKitesBicyclesBeerPizzaRaytracing
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

"core dump helper" runs always as root, Christian Perle, (Tue Jun 3, 11:20 am)

Re: "core dump helper" runs always as root, Chris Snook, (Tue Jun 3, 2:55 pm)


linux-kernel:
Paul Turner	[tg_shares_up rewrite v4 11/11] sched: update tg->shares after cpu.shares write
Mr. James W. Laferriere	Re: Linux 2.6.25-rc1 , syntax error near unexpected token `;'
Linus Torvalds	Linux 2.6.34-rc4
David Miller	Re: 'global' rq->clock
Borislav Petkov	2.6.23-rc1: no setup signature found...
git:
Len Brown	Re: fatal: unable to create '.git/index': File exists
Oliver Hoffmann	git init --bare versus git --bare init
Sam Vilain	Re: RFC: Flat directory for notes, or fan-out? Both!
Linus Torvalds	Re: git-diff should not fire up $PAGER, period!
Jonathan Nieder	Re: git-daemon serving repos with repo.git/git-daemon-export-ok
linux-netdev:
Eric Dumazet	Re: [PATCH net-next-2.6] net: Introduce skb_orphan_try()
Jamie Lokier	Re: POHMELFS high performance network filesystem. Transactions, failover, performa...
William Allen Simpson	[net-next-2.6 PATCH v8 0/7] TCPCT part 1: cookie option exchange
Trond Myklebust	[PATCH] NET: Add the helper kernel_sock_shutdown()
Ron Mercer	[net-next PATCH 1/2] qlge: Add firmware info to ethtool get regs.
openbsd-misc:
Sevan / Venture37	Re: This is what Linus Torvalds calls openBSD crowd
Netmaffia.hu	Tini Lányok AKCIÓBAN OTTHON
Siju George	This is what Linus Torvalds calls openBSD crowd
Darrin Chandler	Re: OT: Python (was Re: vi in /bin)
Gilles Chehade	Re: Longest Uptime?
git-commits-head:
Linux Kernel Mailing List	ASoC: fix registration of the SoC card in the Freescale MPC8610 drivers
Linux Kernel Mailing List	drivers/acpi: use kasprintf
Linux Kernel Mailing List	V4L/DVB: xc3028: fix regression in firmware loading time
Linux Kernel Mailing List	V4L/DVB (10826): cx88: Add IR support to pcHDTV HD3000 & HD5500
Linux Kernel Mailing List	korina: do not use IRQF_SHARED with IRQF_DISABLED