On Thu, Jun 21, 2012 at 2:18 PM, Alan Cox <alan@xxxxxxxxxxxxxxxxxxx> wrote: > On Thu, 21 Jun 2012 12:43:19 -0700 > Kees Cook <keescook@xxxxxxxxxxxx> wrote: > >> When the suid_dumpable sysctl is set to "2", and there is no >> core dump pipe defined in the core_pattern sysctl, a local user >> can cause core files to be written to root-writable directories, >> potentially with user-controlled content. This means an admin >> can unknowningly reintroduce a variation of CVE-2006-2451 (see >> abf75a5033d4da7b8a7e92321d74021d1fcfb502). > > Its intended to work the way it does. It's also ABI. I think pipe-only is > a really good idea. Likewise I accept with the pipe feature nowdays there > is a good case to kill off case 2. > > However I don't think magically turning one into the other is sensible, > in fact its *stupid* IMHO because it's asking systems to get unexpected > behaviour. > > I would much rather see case 2 either left as is, or set to return > -EINVAL (or similar) and a new case 3 for pipe only. If mode 2 switches to -EINVAL, setuid dumps won't be written to disk, and won't go to pipes. If mode 2 switches to pipe-only, only disk dumps go missing. Either change seems like a break from the prior behavior, but the latter seems the least disruptive to me. I'm happy to go the -EINVAL route and add mode 3 (which will just be mode 2 renamed) if that really is more acceptable. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
