[Bug 2106338] Re: Apport Report File Insecure Permissions

Benjamin Drung 2106338 at bugs.launchpad.net
Fri Jun 6 10:28:44 UTC 2025 

** Changed in: apport
       Status: Fix Committed => Fix Released

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/2106338

Title:
  Apport Report File Insecure Permissions

Status in Apport:
  Fix Released
Status in apport package in Ubuntu:
  Triaged

Bug description:
  When a low privileged processes crashes, an apport crash report file
  is written to /var/crash which contains various technical details
  including the raw base64 encoded core dump. A core file could
  potentially include sensitive data such as passwords and encryption
  keys. The issue is the report file has group read permissions by
  default. Any user that is a member the same primary group can read the
  crash reports of another user which could lead to the disclosure of
  sensitive information.

  
  Test Environment

  Ubuntu 24.04.2 LTS
  apport 2.28.1-0ubuntu3.5

  
  Setup

  Create two users with the primary group set to staff. For this PoC,
  the following users are used.

  
  root at apport-test:~# id user1
  uid=1001(user1) gid=50(staff) groups=50(staff)

  root at apport-test:~# id user2
  uid=1002(user2) gid=50(staff) groups=50(staff)

  
  Steps to reproduce

  As user1, execute bash, and then export the PGPASSWD variable to the
  string UberSecret. Send the SIGABRT signal to the bash process to
  induce a crash.

  
  Example:

  user1 at apport-test:~$ bash
  user1 at apport-test:~$ export PGPASSWD=UberSecret
  user1 at apport-test:~$ kill -ABRT $$
  Aborted (core dumped)

  Verify the crash report is written to
  /var/crash/_usr_bin_bash.<UID>.crash. Note the staff group permissions
  have read access

  user1 at apport-test:~$ ls -lart /var/crash
  total 104
  drwxr-xr-x 13 root  root   4096 Jul  2  2024 ..
  drwxrwsrwt  2 root  root   4096 Apr  6 09:58 .
  -rw-r-----  1 user1 staff 97412 Apr  6 09:58 _usr_bin_bash.1001.crash

  
  As user2 execute the apport-unpack program to unpack the crash report to /tmp/unpacked.

  user2 at apport-test:~$ apport-unpack /var/crash/_usr_bin_bash.1001.crash
  /tmp/unpacked

  
  As user2 execute "strings /tmp/unpacked/CoreDump |grep -w PGPASSWD" to search the CoreDump file for the PGPASSWD environment variable value. The user2 user is able to read sensitive data associated with a crash for a process executed by user1.

  user2 at apport-test:~$ strings /tmp/unpacked/CoreDump |grep -w PGPASSWD
  PGPASSWD
  PGPASSWD
  export PGPASSWD=UberSecret
  ```

  I suggest to remove group read permissions on the crash report file to
  prevent other users in the same group from reading the potentially
  sensitive crash data. I tested the following patch which resolves the
  issue in process_crash() by changing the permissions from 640 to 600.

  
  diff --git a/data/apport b/data/apport
  index 1200fb07..a2d33a81 100755
  --- a/data/apport
  +++ b/data/apport
  @@ -1154,7 +1154,7 @@ def process_crash(
       recover_privileges()

       # make the report writable now, when it's completely written
  -    os.fchmod(fd, 0o640)
  +    os.fchmod(fd, 0o600)
       logger.info("wrote report %s", report)

       if write_coredump_callback:

  
  After applying the above patch, as user1 delete the existing crash file.

  user1 at apport-test:~$ rm /var/crash/_usr_bin_bash.1001.crash

  
  As user1, execute bash, and then export the PGPASSWD variable to UberSecret. Send the SIGABRT signal to the bash process to induce a crash.

  user1 at apport-test:~$ bash
  user1 at apport-test:~$ export PGPASSWD=UberSecret
  user1 at apport-test:~$ kill -ABRT $$
  Aborted (core dumped)

  
  Note the permissions of the newly generated crash report are now 600 which prevent the staff group from reading the file.

  user1 at apport-test:~$ ls -ld /var/crash/_usr_bin_bash.1001.crash
  -rw------- 1 user1 staff 97552 Apr  6 13:18 /var/crash/_usr_bin_bash.1001.crash

  
  As user2, executing the apport-unpack command on the crash file now results in a "Permission denied" error.

  user2 at apport-test:~$ apport-unpack /var/crash/_usr_bin_bash.1001.crash /tmp/unpacked.new
  ERROR: [Errno 13] Permission denied: '/var/crash/_usr_bin_bash.1001.crash'

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/2106338/+subscriptions

More information about the foundations-bugs mailing list