Hello,
As an ABRT maintainer, I have been asked several times why ABRT does not
catch
crashes of many processes and one kind of reasons dominate among other
reasons -
processes that executes set-user-ID programs (man 5 core). These
processes are
not dumped at all if the value of /proc/sys/fs/suid_dumpable is 0 (man 5
proc)
which is the default value. With the default suid_dumpable value, crashes
caused by SIGABRT are not detectable because kernel doesn't even write a
log message about that.
The default value 0 is there for good security reason, but I would like to
propose changing the default value to 2 for development Fedora releases
(Alpha,
Beta, Rawhide). In this case, kernel would send core dump to ABRT (or
systemd-coredump) and the ABRT record would be accessible only to root.
I believe that maintainers of packages like chrony will be really delighted
with this change, while will not weaken security of Fedora for regular
users.
Regards,
Jakub
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx
