<html> <head> <base href="https://bugs.freedesktop.org/" /> </head> <body> <div> <a class="bz_bug_link bz_status_NEW " title="NEW - systemd-coredump can run elfutils as root" href="https://bugs.freedesktop.org/show_bug.cgi?id=87354#c3">Comment # 3</a> on <a class="bz_bug_link bz_status_NEW " title="NEW - systemd-coredump can run elfutils as root" href="https://bugs.freedesktop.org/show_bug.cgi?id=87354">bug 87354</a> from <a class="email" href="mailto:lennart@poettering.net" title="Lennart Poettering <lennart@poettering.net>"> Lennart Poettering</a> <pre>(In reply to Bastien Nocera from <a href="show_bug.cgi?id=87354#c0">comment #0</a>) > If a process running as root crashed, systemd-coredump would change the > effective uid/gid to that of the crashing program. > > So a carefully crafted coredump could hit elfutils parsing bugs to run > arbitrary programs as the same user that crashed. > > The solution would be to avoid running elfutils code as any privileged user. Hmm? We generate the stack trace after dropping uid/gid to the same as the process that crashed. If you managed to carefully craft a coredump under some uid/gid, then you are so powerful, why would you then still need to trigger a bug in elfutils? If you make apache crash inserting enough data into apache to craft the coredump the way you want, and then acquire access to the apache user that way, what have you gained? I mean, you could just as well run your code as apache user right away, no need to go via the coredump stuff... Not following here, why there would be any new threat by the coredump logic?</pre> </div> <hr> You are receiving this mail because: <ul> <li>You are the QA Contact for the bug.</li> <li>You are the assignee for the bug.</li> </ul> </body> </html>