touch-packages team mailing list archive

Thread
Date

[Bug 1242435] Re: Desktop setuid cores readable by non-privileged user

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Burnz <bbbloyyer@xxxxxxxxx>
Date: Thu, 26 Feb 2015 16:34:41 -0000
Reply-to: Bug 1242435 <1242435@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: apport (Arch Linux)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1242435

Title:
  Desktop setuid cores readable by non-privileged user

Status in Apport crash detection/reporting:
  Fix Released
Status in apport package in Ubuntu:
  Fix Released
Status in apport source package in Lucid:
  Invalid
Status in apport source package in Precise:
  Fix Released
Status in apport source package in Quantal:
  Fix Released
Status in apport source package in Raring:
  Fix Released
Status in apport source package in Saucy:
  Fix Released
Status in apport source package in Trusty:
  Fix Released
Status in apport package in Arch Linux:
  New
Status in apport package in Debian:
  Fix Released

Bug description:
  Elsewhere I have been working on a sensitive information leak via core
  dump generated by gcore(1).

  The sensitive information in question is read by a stock setuid root
  binary executed by a non-privileged user. On Ubuntu Desktop
  fs.suid_dumpable=2. Referencing
  https://www.kernel.org/doc/Documentation/sysctl/fs.txt:

  2 - (suidsafe) - any binary which normally would not be dumped is dumped
   anyway, but only if the "core_pattern" kernel sysctl is set to
   either a pipe handler or a fully qualified path. (For more details
   on this limitation, see CVE-2006-2451.) This mode is appropriate
   when administrators are attempting to debug problems in a normal
   environment, and either have a core dump pipe handler that knows
   to treat privileged core dumps with care, or specific directory
   defined for catching core dumps. If a core dump happens without
   a pipe handler or fully qualifid path, a message will be emitted
   to syslog warning about the lack of a correct setting.

  NB "treat privileged core dumps with care".

  On a stock Desktop 12.04 LTS install:

      kernel.core_pattern = |/usr/share/apport/apport %p %s %c

  apport dutifully dumps the core and this is readable (0660, user:user)
  by the invoking user, whereas it should be something like 0440,
  root:root. I believe this to be a bug in apport.

  TRUNK FIX: http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/2723
  Backports for older releases available as attachments here.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1242435/+subscriptions