Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d6e71144 authored by Alan Cox's avatar Alan Cox Committed by Linus Torvalds
Browse files

[PATCH] setuid core dump 



Add a new `suid_dumpable' sysctl:

This value can be used to query and set the core dump mode for setuid
or otherwise protected/tainted binaries. The modes are

0 - (default) - traditional behaviour.  Any process which has changed
    privilege levels or is execute only will not be dumped

1 - (debug) - all processes dump core when possible.  The core dump is
    owned by the current user and no security is applied.  This is intended
    for system debugging situations only.  Ptrace is unchecked.

2 - (suidsafe) - any binary which normally would not be dumped is dumped
    readable by root only.  This allows the end user to remove such a dump but
    not access it directly.  For security reasons core dumps in this mode will
    not overwrite one another or other files.  This mode is appropriate when
    adminstrators are attempting to debug problems in a normal environment.

(akpm:

> > +EXPORT_SYMBOL(suid_dumpable);
>
> EXPORT_SYMBOL_GPL?

No problem to me.

> >  	if (current->euid == current->uid && current->egid == current->gid)
> >  		current->mm->dumpable = 1;
>
> Should this be SUID_DUMP_USER?

Actually the feedback I had from last time was that the SUID_ defines
should go because its clearer to follow the numbers. They can go
everywhere (and there are lots of places where dumpable is tested/used
as a bool in untouched code)

> Maybe this should be renamed to `dump_policy' or something.  Doing that
> would help us catch any code which isn't using the #defines, too.

Fair comment. The patch was designed to be easy to maintain for Red Hat
rather than for merging. Changing that field would create a gigantic
diff because it is used all over the place.

)

Signed-off-by: default avatarAlan Cox <alan@redhat.com>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 8b0914ea

Documentation/sysctl/kernel.txt

+20 −0
Original line number Diff line number Diff line
@@ -49,6 +49,7 @@ show up in /proc/sys/kernel: 
- shmmax                      [ sysv ipc ]

- shmmni

- stop-a                      [ SPARC only ]

- suid_dumpable

- sysrq                       ==> Documentation/sysrq.txt

- tainted

- threads-max
@@ -300,6 +301,25 @@ kernel. This value defaults to SHMMAX. 


==============================================================



suid_dumpable:



This value can be used to query and set the core dump mode for setuid

or otherwise protected/tainted binaries. The modes are



0 - (default) - traditional behaviour. Any process which has changed

	privilege levels or is execute only will not be dumped

1 - (debug) - all processes dump core when possible. The core dump is

	owned by the current user and no security is applied. This is

	intended for system debugging situations only. Ptrace is unchecked.

2 - (suidsafe) - any binary which normally would not be dumped is dumped

	readable by root only. This allows the end user to remove

	such a dump but not access it directly. For security reasons

	core dumps in this mode will not overwrite one another or

	other files. This mode is appropriate when adminstrators are

	attempting to debug problems in a normal environment.



==============================================================



tainted: 



Non-zero if the kernel has been tainted.  Numeric values, which

fs/exec.c

+21 −2
Original line number Diff line number Diff line
@@ -58,6 +58,9 @@ 


int core_uses_pid;

char core_pattern[65] = "core";

int suid_dumpable = 0;



EXPORT_SYMBOL(suid_dumpable);

/* The maximal length of core_pattern is also specified in sysctl.c */



static struct linux_binfmt *formats;
@@ -864,6 +867,9 @@ int flush_old_exec(struct linux_binprm * bprm) 


	if (current->euid == current->uid && current->egid == current->gid)

		current->mm->dumpable = 1;

	else

		current->mm->dumpable = suid_dumpable;



	name = bprm->filename;



	/* Copies the binary name from after last slash */
@@ -884,7 +890,7 @@ int flush_old_exec(struct linux_binprm * bprm) 
	    permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) ||

	    (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {

		suid_keys(current);

		current->mm->dumpable = 0;

		current->mm->dumpable = suid_dumpable;

	}



	/* An exec changes our domain. We are no longer part of the thread
@@ -1432,6 +1438,8 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) 
	struct inode * inode;

	struct file * file;

	int retval = 0;

	int fsuid = current->fsuid;

	int flag = 0;



	binfmt = current->binfmt;

	if (!binfmt || !binfmt->core_dump)
@@ -1441,6 +1449,16 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) 
		up_write(&mm->mmap_sem);

		goto fail;

	}



	/*

	 *	We cannot trust fsuid as being the "true" uid of the

	 *	process nor do we know its entire history. We only know it

	 *	was tainted so we dump it as root in mode 2.

	 */

	if (mm->dumpable == 2) {	/* Setuid core dump mode */

		flag = O_EXCL;		/* Stop rewrite attacks */

		current->fsuid = 0;	/* Dump root private */

	}

	mm->dumpable = 0;

	init_completion(&mm->core_done);

	spin_lock_irq(&current->sighand->siglock);
@@ -1466,7 +1484,7 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) 
 	lock_kernel();

	format_corename(corename, core_pattern, signr);

	unlock_kernel();

	file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600);

	file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, 0600);

	if (IS_ERR(file))

		goto fail_unlock;

	inode = file->f_dentry->d_inode;
@@ -1491,6 +1509,7 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) 
close_fail:

	filp_close(file, NULL);

fail_unlock:

	current->fsuid = fsuid;

	complete_all(&mm->core_done);

fail:

	return retval;

fs/proc/base.c

+4 −2
Original line number Diff line number Diff line
@@ -314,7 +314,7 @@ static int may_ptrace_attach(struct task_struct *task) 
	     (current->gid != task->gid)) && !capable(CAP_SYS_PTRACE))

		goto out;

	rmb();

	if (!task->mm->dumpable && !capable(CAP_SYS_PTRACE))

	if (task->mm->dumpable != 1 && !capable(CAP_SYS_PTRACE))

		goto out;

	if (security_ptrace(current, task))

		goto out;
@@ -1113,7 +1113,9 @@ static int task_dumpable(struct task_struct *task) 
	if (mm)

		dumpable = mm->dumpable;

	task_unlock(task);

	return dumpable;

	if(dumpable == 1)

		return 1;

	return 0;

}

include/linux/binfmts.h

+5 −0
Original line number Diff line number Diff line
@@ -69,6 +69,11 @@ extern void remove_arg_zero(struct linux_binprm *); 
extern int search_binary_handler(struct linux_binprm *,struct pt_regs *);

extern int flush_old_exec(struct linux_binprm * bprm);



extern int suid_dumpable;

#define SUID_DUMP_DISABLE	0	/* No setuid dumping */

#define SUID_DUMP_USER		1	/* Dump as user of process */

#define SUID_DUMP_ROOT		2	/* Dump as root */



/* Stack area protections */

#define EXSTACK_DEFAULT   0	/* Whatever the arch defaults to */

#define EXSTACK_DISABLE_X 1	/* Disable executable stacks */

include/linux/sched.h

+1 −1
Original line number Diff line number Diff line
@@ -246,7 +246,7 @@ struct mm_struct { 


	unsigned long saved_auxv[42]; /* for /proc/PID/auxv */



	unsigned dumpable:1;

	unsigned dumpable:2;

	cpumask_t cpu_vm_mask;



	/* Architecture-specific MM context */