From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758265Ab0BXVvs (ORCPT ); Wed, 24 Feb 2010 16:51:48 -0500 Received: from smtp1.linux-foundation.org ([140.211.169.13]:44372 "EHLO smtp1.linux-foundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757904Ab0BXVvr (ORCPT ); Wed, 24 Feb 2010 16:51:47 -0500 Date: Wed, 24 Feb 2010 13:50:53 -0800 From: Andrew Morton To: Neil Horman Cc: oleg@redhat.com, viro@zeniv.linux.org.uk, linux-kernel@vger.kernel.org, Ingo Molnar , Alan Cox Subject: Re: [PATCH] supress uid comparison test if core output files are pipes Message-Id: <20100224135053.e75800c1.akpm@linux-foundation.org> In-Reply-To: <20100222200851.GD3344@hmsreliant.think-freely.org> References: <20100222200851.GD3344@hmsreliant.think-freely.org> X-Mailer: Sylpheed 2.4.8 (GTK+ 2.12.5; x86_64-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 22 Feb 2010 15:44:29 -0500 Neil Horman wrote: > Modify uid check in do_coredump so as to not apply it in the case of pipes > > So this just got noticed in testing. The end of do_coredump validates the uid > of the inode for the created file against the uid of the crashing process to > ensure that no one can pre-create a core file with different ownership and grab > the information contained in the core when they shouldn' tbe able to. This > causes failures when using pipes for a core dumps if the crashing process is not > root, which is the uid of the pipe when it is created. > > The fix is simple. Since the check for matching uid's isn't relevant for pipes > (a process can't create a pipe that the uermodehelper code will open anyway), we > can just just skip it in the event ispipe is non-zero > > Signed-off-by: Neil Horman > > > exec.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/exec.c b/fs/exec.c > index 6303d18..6af2214 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -1987,8 +1987,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) > /* > * Dont allow local users get cute and trick others to coredump > * into their pre-created files: > + * Note, this is not relevant for pipes > */ > - if (inode->i_uid != current_fsuid()) > + if (!ispipe && (inode->i_uid != current_fsuid())) > goto close_fail; > if (!cprm.file->f_op) > goto close_fail; hm, this actually appears to fix a regression, added by: commit c46f739dd39db3b07ab5deb4e3ec81e1c04a91af Author: Ingo Molnar AuthorDate: Wed Nov 28 13:59:18 2007 +0100 Commit: Linus Torvalds CommitDate: Wed Nov 28 10:58:01 2007 -0800 vfs: coredumping fix fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043 only allow coredumping to the same uid that the coredumping task runs under. Signed-off-by: Ingo Molnar Acked-by: Alan Cox Acked-by: Christoph Hellwig Acked-by: Al Viro Signed-off-by: Linus Torvalds diff --git a/fs/exec.c b/fs/exec.c index 4ccaaa4..282240a 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1780,6 +1780,12 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) but keep the previous behaviour for now. */ if (!ispipe && !S_ISREG(inode->i_mode)) goto close_fail; + /* + * Dont allow local users get cute and trick others to coredump + * into their pre-created files: + */ + if (inode->i_uid != current->fsuid) + goto close_fail; if (!file->f_op) goto close_fail; if (!file->f_op->write)