Comments (2)
that's a scary kernel release.
two things are happening here, both of them pertaining to security.c:
- check_kernel_version() is called to decide if user can mlock (>=2.6.9)
this fails but it's due to sscanf expecting major, minor and point release in your kernel version. You seem to only have 3.10-rcX, so maybe there's the rub.
int check_kernel_version()
{
struct utsname uts;
if(uname(&uts) == -1){
fprintf(stderr, "%s (%s, %d)\n",
_("Failed to discover kernel version."),
strerror(errno), errno);
}else if(!strncmp(uts.sysname, "Linux", 5)){
int maj,min,rel;
if(sscanf(uts.release, "%d.%d.%d", &maj, &min, &rel) != 3) {
fprintf(stderr, "%s (%s, %d)\n",
_("Failed to scan kernel release."),
strerror(errno),errno);
}else{
//fprintf(stdout, "kernel rel: %d.%d\n", maj, min);
if(maj > 2 ||
(maj == 2 && min > 6) ||
(maj == 2 && min == 6 && rel >= 9))
return 1;
}
}
return 0;
}
- CPM tries to ptrace attach to itself to avoid getting debugged for secrets, and fails, which causes it to shoot itself in the head. This needs some investigation: can you try a snippet of code for me that just tries to attach itself?
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/utsname.h>
#include <sys/prctl.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
int main()
{
int status;
pid_t p, p0 = getpid();
p = fork();
if (p == -1) {
fprintf(stderr, "Could not fork: %s\n", strerror(errno));
_exit(1);
}
if (p == 0) {
if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
fprintf(stderr, "Can not set child non dumpable\n");
_exit(1);
}
if (ptrace(PT_ATTACH, p0, 0, 0) != 0) {
// someone is already attached to us; shoot the parent in the head
fprintf(stderr, "Can't attach to parent!\n");
perror("foobar");
kill(p0, SIGKILL);
_exit(1);
}
printf("Attached to %d\n", p0);
while (1) {
if(ptrace(PT_SYSCALL, p0, 0, 0) == 0)
waitpid(p0, &status, 0);
if(errno == ESRCH && kill(p0, 0) == -1)
exit(0); // parent is dead
}
_exit(0);
}else { //twiddle thumbs
fprintf(stderr, "forked %d from %d\n", p, p0);
while(1){
sleep(1); // ZzzZZzZZ
}
}
}
from cpm.
this should be fixed in 8c23b2e
from cpm.
Related Issues (20)
- cpm: initial curses screen setup not correct HOT 1
- cpm aborts on start: Can't attach to parent! HOT 5
- cpm doesn't ask for gpg key password, but: gpgme error / bad passphrase HOT 3
- Unable to specify encryption key HOT 3
- Draw the console UI with something other than CDK.
- Trusting keys from CPM
- Automating nonsense in the cpmgit gitlog HOT 1
- security check failure HOT 3
- "Cannot drop root privileges." on debian/jessie/i386
- cpm doesn't reset terminal on start
- libncursesw5-dev missing as install dependency
- make install doesn't create LC_MESSAGES
- Feature request: Inactivity timeout HOT 4
- feature request: open password databases without local trust HOT 3
- Can't run as non-root user HOT 1
- execl() in clear_screen needs a NULL terminator. HOT 1
- Cannot modify database: "You did not specify any encryption keys. " HOT 2
- Please document how to decrypt the file with gpg HOT 1
- Problems with opening and closing cpm in Debian 10 buster HOT 1
- The key you entered could not be validated.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cpm.