Bug#924693: apport: /var/crash/.lock is world-writable

[Ritesh Raj Sarraf]

On Fri, 2019-03-15 at 22:40 +0100, Jakub Wilk wrote:
> Apport creates /var/crash/.lock as readable and writable for anyone:
> 
>    # ls -l /var/crash/.lock
>    -rwxrwxrwx 1 root root 0 Mar 15 22:30 /var/crash/.lock
> 
> This allows malicious local users to do bad things:
> 
> * They could fill up the disk, bypassing quotas.
> 
> * They could acquire lock on the file and never release it,
> effectively 
> disabling core dumping for everyone.
> 
> * They could use the file as an aid in exploitation other 
> vulnerabilities, such as this:
> http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/
> 
> 
> Please make the lock file accessible only to root.

Please see attached patch. I think it should fix the issue and not
create any regressions. The reason I say "I think" is because I gave up
on using apport lately. Also as you can see from the package log, this
package has only been part of experimental and lately I'm more inclined
to get it removed from Debian.

Do you use apport ? Or have interest for it in Debian ?

rrs@priyasi:~/rrs-home/Community/Packaging/apport (master)$ cat 
debian/patches/lock-file-perms.patch 
Interim fix for the security issues reported
--- a/bin/crash-digger
+++ b/bin/crash-digger
@@ -195,7 +195,7 @@
 
 if opts.lockfile:
     try:
-        f = os.open(opts.lockfile, os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0o666)
+        f = os.open(opts.lockfile, os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0o644)
         os.write(f, ("%u\n" % os.getpid()).encode())
         os.close(f)
     except OSError as e:
--- a/data/apport
+++ b/data/apport
@@ -34,7 +34,7 @@
     # create a lock file
     lockfile = os.path.join(apport.fileutils.report_dir, '.lock')
     try:
-        fd = os.open(lockfile, os.O_WRONLY | os.O_CREAT | os.O_NOFOLLOW)
+        fd = os.open(lockfile, os.O_WRONLY | os.O_CREAT | os.O_NOFOLLOW, 0o644)
     except OSError as e:
         error_log('cannot create lock file (uid %i): %s' % (os.getuid(), 
str(e)))
         sys.exit(1)
20:04 ♒♒♒   ☺ 😄    

-- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

signature.asc
Description: This is a digitally signed message part