linux/kernel
Marcel Holtmann abf75a5033 [PATCH] Fix prctl privilege escalation and suid_dumpable (CVE-2006-2451)
Based on a patch from Ernie Petrides

During security research, Red Hat discovered a behavioral flaw in core
dump handling. A local user could create a program that would cause a
core file to be dumped into a directory they would not normally have
permissions to write to. This could lead to a denial of service (disk
consumption), or allow the local user to gain root privileges.

The prctl() system call should never allow to set "dumpable" to the
value 2. Especially not for non-privileged users.

This can be split into three cases:

  1) running as root -- then core dumps will already be done as root,
     and so prctl(PR_SET_DUMPABLE, 2) is not useful

  2) running as non-root w/setuid-to-root -- this is the debatable case

  3) running as non-root w/setuid-to-non-root -- then you definitely
     do NOT want "dumpable" to get set to 2 because you have the
     privilege escalation vulnerability

With case #2, the only potential usefulness is for a program that has
designed to run with higher privilege (than the user invoking it) that
wants to be able to create root-owned root-validated core dumps. This
might be useful as a debugging aid, but would only be safe if the program
had done a chdir() to a safe directory.

There is no benefit to a production setuid-to-root utility, because it
shouldn't be dumping core in the first place. If this is true, then the
same debugging aid could also be accomplished with the "suid_dumpable"
sysctl.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-07-12 12:50:25 -07:00
..
irq Merge git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc 2006-07-03 15:28:34 -07:00
power [PATCH] swsusp: fix panic when signature can't be read 2006-07-10 13:24:22 -07:00
time [PATCH] time: rename clocksource functions 2006-06-26 09:58:21 -07:00
.gitignore
acct.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
audit.c [NETLINK]: Encapsulate eff_cap usage within security framework. 2006-06-29 16:57:55 -07:00
audit.h [PATCH] add rule filterkey 2006-07-01 05:43:06 -04:00
auditfilter.c [PATCH] audit syscall classes 2006-07-01 07:44:10 -04:00
auditsc.c [PATCH] audit: support for object context filters 2006-07-01 05:44:19 -04:00
capability.c [PATCH] sched: cleanup, remove task_t, convert to struct task_struct 2006-07-03 15:27:11 -07:00
compat.c [PATCH] N32 sigset and __COMPAT_ENDIAN_SWAP__ 2006-06-25 10:01:15 -07:00
configs.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
cpu.c [PATCH] cpu hotplug: make [un]register_cpu_notifier init time only 2006-06-27 17:32:41 -07:00
cpuset.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
dma.c
exec_domain.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
exit.c [PATCH] sched: cleanup, remove task_t, convert to struct task_struct 2006-07-03 15:27:11 -07:00
extable.c
fork.c [PATCH] remove the tasklist_lock export 2006-07-10 13:24:26 -07:00
futex_compat.c [PATCH] pi-futex: futex_lock_pi/futex_unlock_pi support 2006-06-27 17:32:47 -07:00
futex.c [PATCH] pi-futex: Validate futex type instead of oopsing 2006-07-10 13:24:18 -07:00
hrtimer.c [PATCH] sched: cleanup, remove task_t, convert to struct task_struct 2006-07-03 15:27:11 -07:00
itimer.c
kallsyms.c
Kconfig.hz
Kconfig.preempt
kexec.c [POWERPC] Add the use of the firmware soft-reset-nmi to kdump. 2006-06-28 15:18:52 +10:00
kfifo.c
kmod.c [PATCH] lockdep: annotate on-stack completions 2006-07-03 15:27:09 -07:00
kprobes.c [PATCH] Notify page fault call chain 2006-06-26 09:58:22 -07:00
ksysfs.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
kthread.c [PATCH] kthread: move kernel-doc and put it into DocBook 2006-06-25 10:01:24 -07:00
lockdep_internals.h [PATCH] lockdep: core 2006-07-03 15:27:03 -07:00
lockdep_proc.c [PATCH] lockdep: procfs 2006-07-03 15:27:04 -07:00
lockdep.c [PATCH] lockdep: core, reduce per-lock class-cache size 2006-07-10 13:24:14 -07:00
Makefile [PATCH] lockdep: prove spinlock rwlock locking correctness 2006-07-03 15:27:04 -07:00
module.c [PATCH] lockdep: core 2006-07-03 15:27:03 -07:00
mutex-debug.c [PATCH] lockdep: prove mutex locking correctness 2006-07-03 15:27:04 -07:00
mutex-debug.h [PATCH] lockdep: better lock debugging 2006-07-03 15:27:01 -07:00
mutex.c [PATCH] lockdep: prove mutex locking correctness 2006-07-03 15:27:04 -07:00
mutex.h [PATCH] lockdep: prove mutex locking correctness 2006-07-03 15:27:04 -07:00
panic.c [PATCH] lockdep: disable lock debugging when kernel state becomes untrusted 2006-07-10 13:24:27 -07:00
params.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
pid.c [PATCH] sched: cleanup, remove task_t, convert to struct task_struct 2006-07-03 15:27:11 -07:00
posix-cpu-timers.c
posix-timers.c
printk.c [PATCH] kernel/printk.c: EXPORT_SYMBOL_UNUSED 2006-07-10 13:24:17 -07:00
profile.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
ptrace.c [PATCH] sched: cleanup, remove task_t, convert to struct task_struct 2006-07-03 15:27:11 -07:00
rcupdate.c [PATCH] lockdep: locking init debugging improvement 2006-07-03 15:27:02 -07:00
rcutorture.c [PATCH] rcutorture: add call_rcu_bh() operations 2006-06-27 17:32:40 -07:00
relay.c
resource.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
rtmutex_common.h [PATCH] pi-futex: futex_lock_pi/futex_unlock_pi support 2006-06-27 17:32:47 -07:00
rtmutex-debug.c [PATCH] sched: cleanup, remove task_t, convert to struct task_struct 2006-07-03 15:27:11 -07:00
rtmutex-debug.h [PATCH] lockdep: better lock debugging 2006-07-03 15:27:01 -07:00
rtmutex-tester.c [PATCH] sched: cleanup, remove task_t, convert to struct task_struct 2006-07-03 15:27:11 -07:00
rtmutex.c [PATCH] sched: cleanup, remove task_t, convert to struct task_struct 2006-07-03 15:27:11 -07:00
rtmutex.h [PATCH] lockdep: better lock debugging 2006-07-03 15:27:01 -07:00
rwsem.c [PATCH] lockdep: prove rwsem locking correctness 2006-07-03 15:27:04 -07:00
sched.c [PATCH] small kernel/sched.c cleanup 2006-07-10 13:24:13 -07:00
seccomp.c
signal.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/bunk/trivial 2006-06-30 15:39:30 -07:00
softirq.c [PATCH] kernel/softirq.c: EXPORT_UNUSED_SYMBOL 2006-07-10 13:24:18 -07:00
softlockup.c [PATCH] cpu hotplug: revert initdata patch submitted for 2.6.17 2006-06-27 17:32:41 -07:00
spinlock.c [PATCH] lockdep: prove spinlock rwlock locking correctness 2006-07-03 15:27:04 -07:00
stacktrace.c [PATCH] lockdep: stacktrace subsystem, core 2006-07-03 15:27:02 -07:00
stop_machine.c [PATCH] revert "kthread: convert stop_machine into a kthread" 2006-07-03 21:25:20 -07:00
sys_ni.c
sys.c [PATCH] Fix prctl privilege escalation and suid_dumpable (CVE-2006-2451) 2006-07-12 12:50:25 -07:00
sysctl.c [PATCH] ZVC/zone_reclaim: Leave 1% of unmapped pagecache pages for file I/O 2006-07-03 15:26:59 -07:00
time.c [PATCH] Time: Introduce arch generic time accessors 2006-06-26 09:58:20 -07:00
timer.c [PATCH] adjust clock for lost ticks 2006-07-10 13:24:18 -07:00
uid16.c
unwind.c [PATCH] x86_64: allow unwinder to build without module support 2006-06-26 10:48:18 -07:00
user.c
wait.c [PATCH] uninline init_waitqueue_head() 2006-07-10 13:24:25 -07:00
workqueue.c Merge master.kernel.org:/pub/scm/linux/kernel/git/davej/cpufreq 2006-07-04 14:00:26 -07:00