gnupg2 (gpg-agent): Disable producing of core dumps for gpg-agent via prctl(PR_SET_DUMPABLE, 0) as ssh-agent does
Closed, ResolvedPublic

Description

Hello GnuPG upstream,

based on http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712744 looks

currently gpg-agent tool does not have core dumps disabled (like for example
ssh-agent does).

While this would not be a security flaw, but looks like a proper candidate for
enhancement.

Can you implement / apply the call to prctl(PR_SET_DUMPABLE, 0); for gpg-agent
in future gnupg2 versions? (possibly together with updating gpg-agent CLI -
adding option that would act as switch to specify, when dumping of core files
should be enabled / is desired, and documenting that option in the manual page)

Thank you && Regards, Jan.

Jan iankko Lieskovsky / Red Hat Security Response Team

Details

iankko set External Link to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712744.Jun 19 2013, 3:00 PM
iankko set Version to 2.0.20.
iankko added a subscriber: iankko.
werner added a subscriber: werner.Jun 19 2013, 11:11 PM

GnuPG uses setrlimit do disable core dumps. It has always done so. See
common/sysutils.c:disable_core_dumps. Do you have a test case which shows that
it does not work?

Hello Werner,

Werner Koch <wk@gnupg.org> added the comment:

GnuPG uses setrlimit do disable core dumps. It has always done so. See
common/sysutils.c:disable_core_dumps. Do you have a test case which shows
that
it does not work?

No, i don't have a testcase. Issue was reported only based on Debian BTS
entry. Cc-ing Samuel Bronson - original issue reporter.

Samuel, do you have such a reproducer && if so, could you share it with us?

Thank you && Regards, Jan.

Jan iankko Lieskovsky / Red Hat Security Response Team

gniibe added a subscriber: gniibe.Jul 12 2013, 2:15 PM

I think that original reporter's intention is to prevent attaching by ptrace.
By PR_SET_DUMPABLE disabled, ptrace PTRACE_ATTACH won't work any more.
This would be better if we care about kernel compatibility.
In http://bugs.debian.org/714107, I found that setrlimit64 doesn't work reliably
for 2.6.34 or older. PR_SET_DUMPABLE seems to work for even 2.4.x.

What is the threat model for this? If you are able to ptrace a process you can
do all other kind of stuff, like replacing gpg with your own code. If the box
has been taken over, we are in game-over state.

Disabling core dumps is a different issue because a core dump leaves traces of
the process on the disk.

gniibe added a comment.Apr 3 2015, 5:51 AM

As I wrote to #712744, distribution nowadays is conservative enough for its
default kernel settings, and it doesn't require each application to have special
settings.

I think that we will be able to close this soon.

justus closed this task as Resolved.Apr 5 2016, 2:59 PM
justus claimed this task.
justus added a subscriber: justus.

gpg-agent does disable core dumps both in the stable and modern version.
Furthermore I have to agree with Werner here, if there is a process that can
ptrace your gpg-agent, then you have already lost anyway.