Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 8 Jan 2017 15:19:33 +0000
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Firejail local root exploit

On Sun, 08 Jan 2017 at 12:51:58 +0100, Martin Carpenter wrote:
> Here's
> disable_coredumps() from sudo 1.8.9p5 (as shipped with Ubuntu 14.04,
> which does not disable suid coredumps on desktop by default):
[... the active ingredient is ...]
>  800     (void) getrlimit(RLIMIT_CORE, &corelimit);
>  801     memcpy(&rl, &corelimit, sizeof(struct rlimit));
>  802     rl.rlim_cur = 0;
>  803     (void) setrlimit(RLIMIT_CORE, &rl);

This is not actually enough. dbus has one regression test involving a
binary that deliberately segfaults (so we can assert that the resulting
error is reported correctly) and we found that with tools like corekeeper
that set core_pattern="|some-helper", code similar to sudo's still resulted
in a core dump being written into the pipe to some-helper. In dbus this
was only a performance issue and not a security issue (dumping core
repeatedly made our unit tests really slow).

To address that, we added this:

#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
  /* Really, no core dumps please. On Linux, if core_pattern is
   * set to a pipe (for abrt/apport/corekeeper/etc.), RLIMIT_CORE of 0
   * is ignored (deliberately, so people can debug init(8) and other
   * early stuff); but Linux has PR_SET_DUMPABLE, so we can avoid core
   * dumps anyway. */
  prctl (PR_SET_DUMPABLE, 0, 0, 0, 0);
#endif

Reference: https://bugs.freedesktop.org/show_bug.cgi?id=83772
Rationale for RLIMIT_CORE=0 being ignored in this case:
https://lkml.org/lkml/2011/8/24/136

> there just has to be more stuff out there like this. sudo was literally
> the first thing I looked at... Disabling filter inheritance across the
> privilege boundary doesn't seem like an obviously good solution(?).

bubblewrap opts-out of setuid and similar mechanisms by unconditionally
setting PR_SET_NO_NEW_PRIVS (and bailing out if that fails), which seems
a good idea for anything that claims to be a sandbox. If feasible, I would
recommend that firejail should do the same.

    S

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.