* Ritesh Raj Sarraf <r...@debian.org>, 2019-03-18, 20:20:
Apport tries to create /var/crash/.lock if doesn't exist already. But
/var/crash/ is world-writable, so a malicious local user could do:
ln -sf /nonexistent /var/crash/.lock
to prevent Apport from creating the lock file.
Yes. /var/crash/ is world writable and has the sticky bit set. It is
needed so that normal (unprivileged) user processes also write down
their crash reports without seeking root privileges.
Yes. But that still does not fix the security concern raised in this
bug report. What would be the optimal fix for this ?
There might be good reasons for /var/crash to be world-writable
(although it's certainly asking for troubles), but I can't see any
reason to keep the lock file in this directory.
Move the lock somewhere else (say /var/lib/apport/lock), make it
owned by root:root and with permissions 0600. This should work because
the lock is acquired before dropping privileges.
--
Jakub Wilk
