"core dump helper" runs always as root - Kernel

This is a discussion on "core dump helper" runs always as root - Kernel ; Hi * I recently played around with the /proc/sys/kernel/core_pattern file (2.6.24.7 and 2.6.25) and found out that processes started by the "|/path/to/executable" notation always run as root, even if the segfaulting process runs as non-root. Is there a reason for ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: "core dump helper" runs always as root

  1. "core dump helper" runs always as root

    Hi *

    I recently played around with the /proc/sys/kernel/core_pattern file
    (2.6.24.7 and 2.6.25) and found out that processes started by the
    "|/path/to/executable" notation always run as root, even if the
    segfaulting process runs as non-root.

    Is there a reason for this behaviour? If not, i would suggest starting the
    process which receives the core dump on stdin as the same UID of the
    segfaulting process.

    With the current behaviour you can do funny things:

    (as root)
    # echo "|/bin/chmod 4755 /bin/ash" > /proc/sys/kernel/core_pattern

    (as user)
    $ sleep 2 & kill -11 $!

    Of course this is *not* a local root exploit because you need to be root
    to write to the proc entry, but IMHO running the "core dump helper" (is
    there a better name for this?) always as root is potentially harmful.


    Greetings,
    Chris
    --
    Christian Perle chris AT linuxinfotag.de
    010111 http://chris.silmor.de/
    101010 LinuxGuitarKitesBicyclesBeerPizzaRaytracing
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  2. Re: "core dump helper" runs always as root

    Christian Perle wrote:
    > Hi *
    >
    > I recently played around with the /proc/sys/kernel/core_pattern file
    > (2.6.24.7 and 2.6.25) and found out that processes started by the
    > "|/path/to/executable" notation always run as root, even if the
    > segfaulting process runs as non-root.
    >
    > Is there a reason for this behaviour? If not, i would suggest starting the
    > process which receives the core dump on stdin as the same UID of the
    > segfaulting process.
    >
    > With the current behaviour you can do funny things:
    >
    > (as root)
    > # echo "|/bin/chmod 4755 /bin/ash" > /proc/sys/kernel/core_pattern
    >
    > (as user)
    > $ sleep 2 & kill -11 $!
    >
    > Of course this is *not* a local root exploit because you need to be root
    > to write to the proc entry, but IMHO running the "core dump helper" (is
    > there a better name for this?) always as root is potentially harmful.
    >
    >
    > Greetings,
    > Chris


    If we run the usermode helper with the privileges of the dying process, what do
    we do about rlimit enforcement? They don't have a PAM environment, so either
    they get the default rlimits, or we have to make them inherit their limits from
    the dying process. This is very problematic if the process died due to
    exceeding an rlimit.

    Userspace is the best place to resolve complex policy issues. If it makes you
    uncomfortable having your coredump helper run as root, you can implement
    privilege separation in it, and any arbitrary code you see fit to resolve the
    rlimit dilemma.

    Personally, I would not be opposed to honoring setuid permissions for usermode
    helpers, as this maintains the separation of policy and mechanism, and leaves no
    room for ambiguity about the intent of the system administrator.

    -- Chris
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

+ Reply to Thread