The attachment "Remove group read permissions on crash report" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/2106338 Title: Apport Report File Insecure Permissions Status in Apport: Fix Released Status in apport package in Ubuntu: Triaged Bug description: When a low privileged processes crashes, an apport crash report file is written to /var/crash which contains various technical details including the raw base64 encoded core dump. A core file could potentially include sensitive data such as passwords and encryption keys. The issue is the report file has group read permissions by default. Any user that is a member the same primary group can read the crash reports of another user which could lead to the disclosure of sensitive information. Test Environment Ubuntu 24.04.2 LTS apport 2.28.1-0ubuntu3.5 Setup Create two users with the primary group set to staff. For this PoC, the following users are used. root@apport-test:~# id user1 uid=1001(user1) gid=50(staff) groups=50(staff) root@apport-test:~# id user2 uid=1002(user2) gid=50(staff) groups=50(staff) Steps to reproduce As user1, execute bash, and then export the PGPASSWD variable to the string UberSecret. Send the SIGABRT signal to the bash process to induce a crash. Example: user1@apport-test:~$ bash user1@apport-test:~$ export PGPASSWD=UberSecret user1@apport-test:~$ kill -ABRT $$ Aborted (core dumped) Verify the crash report is written to /var/crash/_usr_bin_bash.<UID>.crash. Note the staff group permissions have read access user1@apport-test:~$ ls -lart /var/crash total 104 drwxr-xr-x 13 root root 4096 Jul 2 2024 .. drwxrwsrwt 2 root root 4096 Apr 6 09:58 . -rw-r----- 1 user1 staff 97412 Apr 6 09:58 _usr_bin_bash.1001.crash As user2 execute the apport-unpack program to unpack the crash report to /tmp/unpacked. user2@apport-test:~$ apport-unpack /var/crash/_usr_bin_bash.1001.crash /tmp/unpacked As user2 execute "strings /tmp/unpacked/CoreDump |grep -w PGPASSWD" to search the CoreDump file for the PGPASSWD environment variable value. The user2 user is able to read sensitive data associated with a crash for a process executed by user1. user2@apport-test:~$ strings /tmp/unpacked/CoreDump |grep -w PGPASSWD PGPASSWD PGPASSWD export PGPASSWD=UberSecret ``` I suggest to remove group read permissions on the crash report file to prevent other users in the same group from reading the potentially sensitive crash data. I tested the following patch which resolves the issue in process_crash() by changing the permissions from 640 to 600. diff --git a/data/apport b/data/apport index 1200fb07..a2d33a81 100755 --- a/data/apport +++ b/data/apport @@ -1154,7 +1154,7 @@ def process_crash( recover_privileges() # make the report writable now, when it's completely written - os.fchmod(fd, 0o640) + os.fchmod(fd, 0o600) logger.info("wrote report %s", report) if write_coredump_callback: After applying the above patch, as user1 delete the existing crash file. user1@apport-test:~$ rm /var/crash/_usr_bin_bash.1001.crash As user1, execute bash, and then export the PGPASSWD variable to UberSecret. Send the SIGABRT signal to the bash process to induce a crash. user1@apport-test:~$ bash user1@apport-test:~$ export PGPASSWD=UberSecret user1@apport-test:~$ kill -ABRT $$ Aborted (core dumped) Note the permissions of the newly generated crash report are now 600 which prevent the staff group from reading the file. user1@apport-test:~$ ls -ld /var/crash/_usr_bin_bash.1001.crash -rw------- 1 user1 staff 97552 Apr 6 13:18 /var/crash/_usr_bin_bash.1001.crash As user2, executing the apport-unpack command on the crash file now results in a "Permission denied" error. user2@apport-test:~$ apport-unpack /var/crash/_usr_bin_bash.1001.crash /tmp/unpacked.new ERROR: [Errno 13] Permission denied: '/var/crash/_usr_bin_bash.1001.crash' To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/2106338/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
