Apport will drop his privileges according to the UID and GID values extracted from /proc/pid/status.
‘get_pid_info’ function will iterate through each line of the status file, if a line starts with “Uid:” or “Gid:” it takes the first argument in that line and puts it into real_uid and real_gid variables.
with open('status', opener=proc_pid_opener) as f: for line in f: if line.startswith('Uid:'): real_uid = int(line.split()) elif line.startswith('Gid:'): real_gid = int(line.split()) break
Dropping privileges can be bypassed by crashing a process with a file name set to “a\rUid: 0\rGid: 0”.
When we will crash the process, we are able to “inject” UID and GID values to /proc/pid/status file (in the Name field), causing apport to never really drop privileges ( real_uid now is 0 and real_gid is also 0).