Re: Re: Asserts considered harmful (or GMP spills its sensitive information)

[halfdog <me () halfdog net>]

Simon McVittie writes:
> On Tue, 01 Jan 2019 at 12:07:17 +0100, Niels M�ller wrote:
> ...
>
> Some processes (including those that are setuid or setgid,
> I think?) are automatically undumpable.

This is not true and depends on your "/proc/sys/fs/suid_dumpable"
settings, see [0]. Especially "2" was intended to capture cores
from SUIDs also, e.g. together with systemd-coredump.


To test your SUID-coredump behaviour, you can use NullExec.c
from below. It quite reliable segfaults many SUID binaries. The
argv -> env trickery is useful as some binaries (e.g. crontab)
overread the gap between argv/env on stack so start processing
environment variables as argvs, thus circumventing any IDS/IPS
depending on correct checking of execve()'s call arguments.

$ ./NullExec /bin/su

hd

[0] https://github.com/torvalds/linux/blob/master/Documentation/sysctl/fs.txt

$ cat NullExec.c 
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>

int main(int argc, char **argv) {
  if(argc<2) {
    fprintf(stderr, "Usage: %s [progname] [envvars...]\n");
    return(1);
  }
  execve(argv[1], NULL, argv+2);
  return(1);
}