On 12/02/16 12:24, Jakub Filak wrote:
As a maintainer of ABRT, I have been asked several times why ABRT does not catch crashes of many processes and one kind of reasons dominate among other reasons - processes that executes set-user-ID programs (man 5 core). These processes are not dumped at all if the value of /proc/sys/fs/suid_dumpable is 0 (man 5 proc) which is the default value. With the default suid_dumpable value, crashes caused by SIGABRT are not detectable because kernel doesn't even write a log message about that. The default value 0 is there for good security reason, but I would like to propose changing the default value to 2 for development Fedora releases (Alpha, Beta, Rawhide). In this case, kernel would send core dump to ABRT (or systemd-coredump) and the ABRT record would be accessible only to root. I believe that maintainers of packages like chrony will be really delighted with this change, while will not weaken security of Fedora for regular users.
What part of chrony is setuid? I don't see an suid bit on any of it's executables... Nor any file capabilities which is the other thing the manual page says triggers this.
Tom -- Tom Hughes (tom@xxxxxxxxxx) http://compton.nu/ -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
