From: Don Howard <dhoward@redhat.com> Date: Fri, 7 Dec 2007 15:30:22 -0800 Subject: [fs] core dump file ownership Message-id: Pine.LNX.4.64.0712071453070.6669@sugarmagnolia.remotee.org O-Subject: [RHEL5 security patch] Core dump file ownership Bugzilla: 397001 In 2.6.x and 2.4.x kernels, if a core file owned by a non root user exists and root runs a process that drops core in the same location, the original core file owned by the non root user is replaced with root's core dump, except the original owner maintains ownership of the core. Fixes bz397001/CVE-2007-6206 Tested on x86_64 Upstream here: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c46f739dd39db3b07ab5deb4e3ec81e1c04a91af Acked-by: Eric Paris <eparis@redhat.com> diff --git a/fs/exec.c b/fs/exec.c index 53e057b..8ff68d0 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1522,6 +1522,12 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) if (!S_ISREG(inode->i_mode)) goto close_fail; + /* + * Dont allow local users get cute and trick others to coredump + * into their pre-created files: + */ + if (inode->i_uid != current->fsuid) + goto close_fail; if (!file->f_op) goto close_fail; if (!file->f_op->write)