Ubuntu
linux-source-2.6.15 package

/proc/kcore not openable

Bug #55804 reported by Matthias Kretz
8
Affects Status Importance Assigned to Milestone
linux-source-2.6.15 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: linux-image-2.6.15-26-686

/proc/kcore is available, but opening it as root always returns -EPERM.

It really should be readable as root - and it is in vanilla kernels and also in the kernels on previous ubuntu releases. If you found a security reason to to allow reading of /proc/kcore as root you could just as well remove the (pseudo) file. I don't see the added security - only that I lost data which I could have recovered if only I could have read /proc/kcore.

Revision history for this message
Ben Collins (ben-collins) wrote :

Yep, the specific reason was that in general, this does not need to be available, and only exposes memory that could contain very sensitive data.

Only certain portions of /proc/kcore are readable, and that is just to allow things like Xorg to work.

Changed in linux-source-2.6.15:
status: Unconfirmed → Rejected
Revision history for this message
Matthias Kretz (mkretz) wrote :

> in general, this does not need to be available

What defines the need? I had a need for /proc/kcore yesterday and I had the need before.

> exposes memory that could contain very sensitive data

Yes it does. But it's only exposed to the root user. And the root user can do anything to the system. Where's the added security in crippling /proc/kcore (and /dev/mem)?

I'm not convinced disabling /proc/kcore adds security. It might make it a little harder for an attacker that got root rights to get to sensitive information but it won't prevent it in any case. On the other hand it disallows legitimate use of it and therefore cripples the system in an unnecessary way.

I guess from now on I have to patch and recompile the kernel everytime Ubuntu releases a new image ;-(

Revision history for this message
Dennis Kaarsemaker (dennis) wrote : Re: [Bug 55804] Re: /proc/kcore not openable

> What defines the need? I had a need for /proc/kcore yesterday and I
> had the need before.

It might help if you say what you need it for. Ubuntu kernel developers
aren't monsters and will listen to reasonable arguments :)

Revision history for this message
Matthias Kretz (mkretz) wrote :

That's what I wrote in the top post:
> only that I lost data which I could have recovered if only I could have
> read /proc/kcore.

It's just like grepping /dev/hda? if you deleted a file in error: I wrote a text and I couldn't get back to it (it was in a web browser text field and the browser didn't go back to the page where the text was entered) but I was pretty sure the text was still in memory (in utf16, but grepping for utf16 text isn't that hard). So the 30+ minutes and creativity for writing the text were permanently lost instead of recovered in a few minutes through reading /proc/kcore.

Read the full story at http://vir.homelinux.org/blog/index.php?/archives/30-Lost-time.html

Revision history for this message
Dragomir Minkovski (dejuren) wrote :

Reopening, Wouter Hanegraaff from OpenOfficeNL is complaining about it.
Citation: "Yesterday, I tried searching /proc/kcore when a crashed application didn't save it's data before crashing. Although this has worked many times before, it didn't right now: all I got was a tiny bit of data, followed by the error Operation not permitted.

How to reproduce:
- start ubuntu dapper, newest kernel
- type: cat /proc/kcore >/tmp/file as root

This was reported as https://launchpad.net/ubuntu/+source/linux-source-2.6.15/+bug/55804

Denying access to /proc/kcore is not a security feature, it's a bug! I've rescued lost data many times by just searching /proc/kcore.

Please fix this in the next kernel update for ubuntu dapper.

Wouter"

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.