• Marcel Holtmann's avatar
    [PATCH] Fix prctl privilege escalation and suid_dumpable (CVE-2006-2451) · abf75a50
    Marcel Holtmann authored
    Based on a patch from Ernie Petrides
    
    During security research, Red Hat discovered a behavioral flaw in core
    dump handling. A local user could create a program that would cause a
    core file to be dumped into a directory they would not normally have
    permissions to write to. This could lead to a denial of service (disk
    consumption), or allow the local user to gain root privileges.
    
    The prctl() system call should never allow to set "dumpable" to the
    value 2. Especially not for non-privileged users.
    
    This can be split into three cases:
    
      1) running as root -- then core dumps will already be done as root,
         and so prctl(PR_SET_DUMPABLE, 2) is not useful
    
      2) running as non-root w/setuid-to-root -- this is the debatable case
    
      3) running as non-root w/setuid-to-non-root -- then you definitely
         do NOT want "dumpable" to get set to 2 because you have the
         privilege escalation vulnerability
    
    With case #2, the only potential usefulness is for a program that has
    designed to run with higher privilege (than the user invoking it) that
    wants to be able to create root-owned root-validated core dumps. This
    might be useful as a debugging aid, but would only be safe if the program
    had done a chdir() to a safe directory.
    
    There is no benefit to a production setuid-to-root utility, because it
    shouldn't be dumping core in the first place. If this is true, then the
    same debugging aid could also be accomplished with the "suid_dumpable"
    sysctl.
    Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    abf75a50
sys.c 49 KB