On 02/12/2016 07:57 PM, Andrew Lutomirski wrote:
On Fri, Feb 12, 2016 at 10:32 AM, Richard W.M. Jones <rjones@xxxxxxxxxx> wrote:
On Fri, Feb 12, 2016 at 07:24:06AM -0500, Jakub Filak wrote:
The default value 0 is there for good security reason, but I would
like to propose changing the default value to 2 for development
Fedora releases (Alpha, Beta, Rawhide). In this case, kernel would
send core dump to ABRT (or systemd-coredump) and the ABRT record
would be accessible only to root.
It seems like this would be unsafe if core_pattern is not a pipe or
fully qualified path.
Ref: https://lwn.net/Articles/503682/
That's fine when ABRT is running, but would be unsafe if someone
disabled ABRT by directly setting core_pattern (eg. to "core.%p"), but
forgot about suid_dumpable.
The kernel does emit KERN_WARNING about this situation (upstream
commit 54b501992dd2), but it's not clear if a sysadmin would notice.
(I'm actually quite happy for the default to be changed as you
suggest, but can see it's a bit of a minefield.)
We could change the kernel to add suid_dumpable == 3 which is like
suid_dumpable==2 but only if the core_pattern is a pipe.
Starting with systemd-229 the default core_pattern has been changed to
"|/bin/false" [1], hence, if an user uninstall ABRT or disable
abrt-ccpp.service, the core_pattern will be either "|/bin/false" or
"|/usr/lib/systemd/systemd-coredump ...". Thus the only case where
core_patter can contain a string not starting with pipe is when admin
changes it manually ("sysctl kernel.core_pattern ...", "echo ... >
/proc/sys/kernel/core_pattern", etc).
Taking into account this new fact, do we still need to change the kernel?
Regards,
Jakub
1:
https://github.com/systemd/systemd/commit/15a900327aba7dc4dc886affe1ae22d3b759b193
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
