diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-04-03 22:05:25 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2020-04-07 15:28:46 +0200 |
| commit | 6635f57d3eeb16051b00ba331da3c8d4f7e578da (patch) | |
| tree | 44620aabcf0534f562aa33a6ec5dfa21e5f4c784 /NEWS | |
| parent | f9d29f6d06058104ac88431495b36bc5edc45843 (diff) | |
| download | systemd-6635f57d3eeb16051b00ba331da3c8d4f7e578da.tar.gz | |
sysctl: enable coredump for suid binaries
Right now the kernel will not dump anything that went through setuid or
setgid. But it is routine for daemons to do that, and it makes things hard to
debug.
systemd-coredump saves the coredump readable by the users the process was
running as. This should be enough to avoid information leakage. So let's also
tell the kernel to do the coredump.
For https://bugzilla.redhat.com/show_bug.cgi?id=1790972.
Both patterns are stored in the same file, so they are enabled or disabled
together. (Though suid_dumpable=2 is supposed to be safe even when writing to
plain files.)
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -1,5 +1,11 @@ systemd System and Service Manager +CHANGES WITH 246 in spe: + * The fs.suid_dumpable sysctl is set to 2 / "suidsafe". This allows + systemd-coredump to save core files for suid processes. When saving + the core file, systemd-coredump will use the effective uid and gid of + the process that faulted. + CHANGES WITH 245: * A new tool "systemd-repart" has been added, that operates as an |