From: Alan Cox Add a new `suid_dumpable' sysctl: This value can be used to query and set the core dump mode for setuid or otherwise protected/tainted binaries. The modes are 0 - (default) - traditional behaviour. Any process which has changed privilege levels or is execute only will not be dumped 1 - (debug) - all processes dump core when possible. The core dump is owned by the current user and no security is applied. This is intended for system debugging situations only. Ptrace is unchecked. 2 - (suidsafe) - any binary which normally would not be dumped is dumped readable by root only. This allows the end user to remove such a dump but not access it directly. For security reasons core dumps in this mode will not overwrite one another or other files. This mode is appropriate when adminstrators are attempting to debug problems in a normal environment. Signed-off-by: Alan Cox (akpm: > > +EXPORT_SYMBOL(suid_dumpable); > > EXPORT_SYMBOL_GPL? No problem to me. > > if (current->euid == current->uid && current->egid == current->gid) > > current->mm->dumpable = 1; > > Should this be SUID_DUMP_USER? Actually the feedback I had from last time was that the SUID_ defines should go because its clearer to follow the numbers. They can go everywhere (and there are lots of places where dumpable is tested/used as a bool in untouched code) > Maybe this should be renamed to `dump_policy' or something. Doing that > would help us catch any code which isn't using the #defines, too. Fair comment. The patch was designed to be easy to maintain for Red Hat rather than for merging. Changing that field would create a gigantic diff because it is used all over the place. ) Signed-off-by: Andrew Morton --- Documentation/sysctl/kernel.txt | 20 ++++++++++++++++++++ fs/exec.c | 23 +++++++++++++++++++++-- fs/proc/base.c | 6 ++++-- include/linux/binfmts.h | 5 +++++ include/linux/sched.h | 2 +- include/linux/sysctl.h | 1 + kernel/sys.c | 22 +++++++++++----------- kernel/sysctl.c | 9 +++++++++ security/commoncap.c | 2 +- security/dummy.c | 2 +- 10 files changed, 74 insertions(+), 18 deletions(-) diff -puN Documentation/sysctl/kernel.txt~setuid-core-dump Documentation/sysctl/kernel.txt --- 25/Documentation/sysctl/kernel.txt~setuid-core-dump 2005-05-11 21:15:05.000000000 -0700 +++ 25-akpm/Documentation/sysctl/kernel.txt 2005-05-11 21:15:05.000000000 -0700 @@ -49,6 +49,7 @@ show up in /proc/sys/kernel: - shmmax [ sysv ipc ] - shmmni - stop-a [ SPARC only ] +- suid_dumpable - sysrq ==> Documentation/sysrq.txt - tainted - threads-max @@ -300,6 +301,25 @@ kernel. This value defaults to SHMMAX. ============================================================== +suid_dumpable: + +This value can be used to query and set the core dump mode for setuid +or otherwise protected/tainted binaries. The modes are + +0 - (default) - traditional behaviour. Any process which has changed + privilege levels or is execute only will not be dumped +1 - (debug) - all processes dump core when possible. The core dump is + owned by the current user and no security is applied. This is + intended for system debugging situations only. Ptrace is unchecked. +2 - (suidsafe) - any binary which normally would not be dumped is dumped + readable by root only. This allows the end user to remove + such a dump but not access it directly. For security reasons + core dumps in this mode will not overwrite one another or + other files. This mode is appropriate when adminstrators are + attempting to debug problems in a normal environment. + +============================================================== + tainted: Non-zero if the kernel has been tainted. Numeric values, which diff -puN fs/exec.c~setuid-core-dump fs/exec.c --- 25/fs/exec.c~setuid-core-dump 2005-05-11 21:15:05.000000000 -0700 +++ 25-akpm/fs/exec.c 2005-05-11 21:15:05.000000000 -0700 @@ -58,6 +58,9 @@ int core_uses_pid; char core_pattern[65] = "core"; +int suid_dumpable = 0; + +EXPORT_SYMBOL(suid_dumpable); /* The maximal length of core_pattern is also specified in sysctl.c */ static struct linux_binfmt *formats; @@ -868,6 +871,9 @@ int flush_old_exec(struct linux_binprm * if (current->euid == current->uid && current->egid == current->gid) current->mm->dumpable = 1; + else + current->mm->dumpable = suid_dumpable; + name = bprm->filename; /* Copies the binary name from after last slash */ @@ -888,7 +894,7 @@ int flush_old_exec(struct linux_binprm * permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) || (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) { suid_keys(current); - current->mm->dumpable = 0; + current->mm->dumpable = suid_dumpable; } /* An exec changes our domain. We are no longer part of the thread @@ -1436,6 +1442,8 @@ int do_coredump(long signr, int exit_cod struct inode * inode; struct file * file; int retval = 0; + int fsuid = current->fsuid; + int flag = 0; binfmt = current->binfmt; if (!binfmt || !binfmt->core_dump) @@ -1445,6 +1453,16 @@ int do_coredump(long signr, int exit_cod up_write(&mm->mmap_sem); goto fail; } + + /* + * We cannot trust fsuid as being the "true" uid of the + * process nor do we know its entire history. We only know it + * was tainted so we dump it as root in mode 2. + */ + if (mm->dumpable == 2) { /* Setuid core dump mode */ + flag = O_EXCL; /* Stop rewrite attacks */ + current->fsuid = 0; /* Dump root private */ + } mm->dumpable = 0; init_completion(&mm->core_done); spin_lock_irq(¤t->sighand->siglock); @@ -1470,7 +1488,7 @@ int do_coredump(long signr, int exit_cod lock_kernel(); format_corename(corename, core_pattern, signr); unlock_kernel(); - file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600); + file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, 0600); if (IS_ERR(file)) goto fail_unlock; inode = file->f_dentry->d_inode; @@ -1495,6 +1513,7 @@ int do_coredump(long signr, int exit_cod close_fail: filp_close(file, NULL); fail_unlock: + current->fsuid = fsuid; complete_all(&mm->core_done); fail: return retval; diff -puN fs/proc/base.c~setuid-core-dump fs/proc/base.c --- 25/fs/proc/base.c~setuid-core-dump 2005-05-11 21:15:05.000000000 -0700 +++ 25-akpm/fs/proc/base.c 2005-05-11 21:15:05.000000000 -0700 @@ -352,7 +352,7 @@ static int may_ptrace_attach(struct task (current->gid != task->gid)) && !capable(CAP_SYS_PTRACE)) goto out; rmb(); - if (!task->mm->dumpable && !capable(CAP_SYS_PTRACE)) + if (task->mm->dumpable != 1 && !capable(CAP_SYS_PTRACE)) goto out; if (security_ptrace(current, task)) goto out; @@ -1170,7 +1170,9 @@ static int task_dumpable(struct task_str if (mm) dumpable = mm->dumpable; task_unlock(task); - return dumpable; + if(dumpable == 1) + return 1; + return 0; } diff -puN include/linux/binfmts.h~setuid-core-dump include/linux/binfmts.h --- 25/include/linux/binfmts.h~setuid-core-dump 2005-05-11 21:15:05.000000000 -0700 +++ 25-akpm/include/linux/binfmts.h 2005-05-11 21:15:05.000000000 -0700 @@ -69,6 +69,11 @@ extern void remove_arg_zero(struct linux extern int search_binary_handler(struct linux_binprm *,struct pt_regs *); extern int flush_old_exec(struct linux_binprm * bprm); +extern int suid_dumpable; +#define SUID_DUMP_DISABLE 0 /* No setuid dumping */ +#define SUID_DUMP_USER 1 /* Dump as user of process */ +#define SUID_DUMP_ROOT 2 /* Dump as root */ + /* Stack area protections */ #define EXSTACK_DEFAULT 0 /* Whatever the arch defaults to */ #define EXSTACK_DISABLE_X 1 /* Disable executable stacks */ diff -puN include/linux/sched.h~setuid-core-dump include/linux/sched.h --- 25/include/linux/sched.h~setuid-core-dump 2005-05-11 21:15:05.000000000 -0700 +++ 25-akpm/include/linux/sched.h 2005-05-11 21:15:05.000000000 -0700 @@ -263,7 +263,7 @@ struct mm_struct { unsigned long saved_auxv[42]; /* for /proc/PID/auxv */ - unsigned dumpable:1; + unsigned dumpable:2; cpumask_t cpu_vm_mask; /* Architecture-specific MM context */ diff -puN include/linux/sysctl.h~setuid-core-dump include/linux/sysctl.h --- 25/include/linux/sysctl.h~setuid-core-dump 2005-05-11 21:15:05.000000000 -0700 +++ 25-akpm/include/linux/sysctl.h 2005-05-11 21:15:05.000000000 -0700 @@ -136,6 +136,7 @@ enum KERN_UNKNOWN_NMI_PANIC=66, /* int: unknown nmi panic flag */ KERN_BOOTLOADER_TYPE=67, /* int: boot loader type */ KERN_RANDOMIZE=68, /* int: randomize virtual address space */ + KERN_SETUID_DUMPABLE=69, /* int: behaviour of dumps for setuid core */ }; diff -puN kernel/sys.c~setuid-core-dump kernel/sys.c --- 25/kernel/sys.c~setuid-core-dump 2005-05-11 21:15:05.000000000 -0700 +++ 25-akpm/kernel/sys.c 2005-05-11 21:15:05.000000000 -0700 @@ -528,7 +528,7 @@ asmlinkage long sys_setregid(gid_t rgid, } if (new_egid != old_egid) { - current->mm->dumpable = 0; + current->mm->dumpable = suid_dumpable; smp_wmb(); } if (rgid != (gid_t) -1 || @@ -559,7 +559,7 @@ asmlinkage long sys_setgid(gid_t gid) { if(old_egid != gid) { - current->mm->dumpable=0; + current->mm->dumpable = suid_dumpable; smp_wmb(); } current->gid = current->egid = current->sgid = current->fsgid = gid; @@ -568,7 +568,7 @@ asmlinkage long sys_setgid(gid_t gid) { if(old_egid != gid) { - current->mm->dumpable=0; + current->mm->dumpable = suid_dumpable; smp_wmb(); } current->egid = current->fsgid = gid; @@ -599,7 +599,7 @@ static int set_user(uid_t new_ruid, int if(dumpclear) { - current->mm->dumpable = 0; + current->mm->dumpable = suid_dumpable; smp_wmb(); } current->uid = new_ruid; @@ -656,7 +656,7 @@ asmlinkage long sys_setreuid(uid_t ruid, if (new_euid != old_euid) { - current->mm->dumpable=0; + current->mm->dumpable = suid_dumpable; smp_wmb(); } current->fsuid = current->euid = new_euid; @@ -706,7 +706,7 @@ asmlinkage long sys_setuid(uid_t uid) if (old_euid != uid) { - current->mm->dumpable = 0; + current->mm->dumpable = suid_dumpable; smp_wmb(); } current->fsuid = current->euid = uid; @@ -751,7 +751,7 @@ asmlinkage long sys_setresuid(uid_t ruid if (euid != (uid_t) -1) { if (euid != current->euid) { - current->mm->dumpable = 0; + current->mm->dumpable = suid_dumpable; smp_wmb(); } current->euid = euid; @@ -801,7 +801,7 @@ asmlinkage long sys_setresgid(gid_t rgid if (egid != (gid_t) -1) { if (egid != current->egid) { - current->mm->dumpable = 0; + current->mm->dumpable = suid_dumpable; smp_wmb(); } current->egid = egid; @@ -848,7 +848,7 @@ asmlinkage long sys_setfsuid(uid_t uid) { if (uid != old_fsuid) { - current->mm->dumpable = 0; + current->mm->dumpable = suid_dumpable; smp_wmb(); } current->fsuid = uid; @@ -878,7 +878,7 @@ asmlinkage long sys_setfsgid(gid_t gid) { if (gid != old_fsgid) { - current->mm->dumpable = 0; + current->mm->dumpable = suid_dumpable; smp_wmb(); } current->fsgid = gid; @@ -1655,7 +1655,7 @@ asmlinkage long sys_prctl(int option, un error = 1; break; case PR_SET_DUMPABLE: - if (arg2 != 0 && arg2 != 1) { + if (arg2 < 0 || arg2 > 2) { error = -EINVAL; break; } diff -puN kernel/sysctl.c~setuid-core-dump kernel/sysctl.c --- 25/kernel/sysctl.c~setuid-core-dump 2005-05-11 21:15:05.000000000 -0700 +++ 25-akpm/kernel/sysctl.c 2005-05-11 21:15:05.000000000 -0700 @@ -58,6 +58,7 @@ extern int sysctl_overcommit_ratio; extern int max_threads; extern int sysrq_enabled; extern int core_uses_pid; +extern int suid_dumpable; extern char core_pattern[]; extern int cad_pid; extern int pid_max; @@ -950,6 +951,14 @@ static ctl_table fs_table[] = { .proc_handler = &proc_dointvec, }, #endif + { + .ctl_name = KERN_SETUID_DUMPABLE, + .procname = "suid_dumpable", + .data = &suid_dumpable, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = &proc_dointvec, + }, { .ctl_name = 0 } }; diff -puN security/commoncap.c~setuid-core-dump security/commoncap.c --- 25/security/commoncap.c~setuid-core-dump 2005-05-11 21:15:05.000000000 -0700 +++ 25-akpm/security/commoncap.c 2005-05-11 21:15:05.000000000 -0700 @@ -149,7 +149,7 @@ void cap_bprm_apply_creds (struct linux_ if (bprm->e_uid != current->uid || bprm->e_gid != current->gid || !cap_issubset (new_permitted, current->cap_permitted)) { - current->mm->dumpable = 0; + current->mm->dumpable = suid_dumpable; if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) { if (!capable(CAP_SETUID)) { diff -puN security/dummy.c~setuid-core-dump security/dummy.c --- 25/security/dummy.c~setuid-core-dump 2005-05-11 21:15:05.000000000 -0700 +++ 25-akpm/security/dummy.c 2005-05-11 21:15:05.000000000 -0700 @@ -130,7 +130,7 @@ static void dummy_bprm_free_security (st static void dummy_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) { if (bprm->e_uid != current->uid || bprm->e_gid != current->gid) { - current->mm->dumpable = 0; + current->mm->dumpable = suid_dumpable; if ((unsafe & ~LSM_UNSAFE_PTRACE_CAP) && !capable(CAP_SETUID)) { bprm->e_uid = current->uid; _