oss-sec mailing list archives

Re: kernel: fs.suid_dumpable=2 privilege escalation

From: Florian Weimer <fweimer () redhat com>
Date: Fri, 17 Apr 2015 09:41:46 +0200

On 04/16/2015 08:41 PM, Kees Cook wrote:

On Thu, Apr 16, 2015 at 5:42 AM, Florian Weimer <fweimer () redhat com> wrote:

Should this be treated as a security vulnerability?

“fs: make dumpable=2 require fully qualified path”
<http://lwn.net/Articles/503682/>

Some widely-used cronie versions still do not have hardening and parse
commands in core dumps.


I didn't seek a CVE for this at the time since it requires a pretty
specific combination of configurations. Namely: setting dumpable=2
without a dump handler, which I couldn't find any distro doing. I have
no objection, of course.


Ah, right.  I noticed this while looking at the file-based coredump
emulation in abrt-hook-ccpp.  It's not the default, either, so we have
not yet assigned a CVE, and we probably won't call it a vulnerability.

-- 
Florian Weimer / Red Hat Product Security

Current thread:

kernel: fs.suid_dumpable=2 privilege escalation Florian Weimer (Apr 16)
- Re: kernel: fs.suid_dumpable=2 privilege escalation cve-assign (Apr 16)
- Re: kernel: fs.suid_dumpable=2 privilege escalation Kees Cook (Apr 16)
  - Re: kernel: fs.suid_dumpable=2 privilege escalation Florian Weimer (Apr 17)