[ubuntu-hardened] fs: suid_dumpable=2 and a security issue (gain root privileges).
Tyler Hicks
tyhicks at canonical.com
Mon Dec 14 16:19:46 UTC 2015
On 2015-12-12 19:54:34, daniel curtis wrote:
> Hello.
Hi Daniel
> Today, I've noticed an interesting article by Mr Kees Cook about
> the 'suid_dumpable' sysctl value and a core dump pipe defined
> in the 'core_pattern' (1, 2). Generally, "a local user can cause core
> files to be written to root-writable directories etc. (...)"
>
> There is also short "proof of concept", which I checked on Ubuntu
> 12.04 LTS with 3.2.0-96-generic-pae kernel (3.2.73). By default
> the result for the 'suid_dumpable' command is '2'. (The same as
> in the article). But if it is about 'core_pattern', there is something
> like this:
>
> |/usr/share/apport/apport %p %s %c
Note that this is what Kees is referring to in his commit message as a
"core dump pipe handler". The core dump is piped into apport.
> As we can see, it differs from what can be noticed in an article
> where 'core' stands as a result. So, I would like to ask if it is
> okay and there is nothing to worry about until kernel update
> (see 2) to the 3.2.74 version?
According to the commit message, systems with core_pattern set to a pipe
handler are not affected. That means that Ubuntu, in its default
configuration, is not affected.
Tyler
>
> Best regards.
> _____________
> (1) https://lwn.net/Articles/503315/
> (2) https://lkml.org/lkml/2015/11/24/785
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20151214/43358d81/attachment.pgp>
More information about the ubuntu-hardened
mailing list