On Feb 15, 2016 10:36 PM, "Jakub Filak" <jfi...@redhat.com> wrote: > > It looks like that there are no opponents of this change but several supporters > and few of them even want to have suid_dumpable=2 in all releases. > > I was thinking about it and Richard W.M. Jones' email about safeness of > suid_dumpable=2 without ABRT gave me an idea to teach ABRT to set > suid_dumpable=2 in abrt-ccpp.service. The service sets kernel.core_pattern > (/proc/sys/kernel/core_pattern) to ABRT pattern, so it could also update > suid_dumpable. If an administrator uninstalls/turns off ABRT, suid_dumpable > would get back the OS default value. If he/she modifies core_pattern by hand, > then he/she is skilled enough to spot kernel warning in the logs. > > What do you think about it? > I would especially like to hear thoughts on this from security experts. > > Do I need to get any permission to do so?
This idea makes me very nervous. I would *much* rather that the kernel be changed. Also, is ABRT itself safe? That is, if an unprivileged user starts, say, passwd and forces a coredump, can that user convince ABRT to show them the core file? --Andy > > > Regards, > Jakub > > > On 02/12/2016 01:24 PM, Jakub Filak wrote: >> >> ----- Forwarded Message ----- >> From: "Jakub Filak" <jfi...@redhat.com> >> To: secur...@lists.fedoraproject.org >> Sent: Thursday, February 11, 2016 9:51:04 AM >> Subject: Use suid_dumpable=2 for development releases >> >> Hello, >> >> As a maintainer of ABRT, I have been asked several times why ABRT does not catch >> crashes of many processes and one kind of reasons dominate among other reasons >> - processes that executes set-user-ID programs (man 5 core). These processes >> are not dumped at all if the value of /proc/sys/fs/suid_dumpable is 0 (man 5 >> proc) which is the default value. With the default suid_dumpable >> value, crashes caused by SIGABRT are not detectable because kernel doesn't even >> write a log message about that. >> >> The default value 0 is there for good security reason, but I would like to >> propose changing the default value to 2 for development Fedora releases (Alpha, >> Beta, Rawhide). In this case, kernel would send core dump to ABRT (or >> systemd-coredump) and the ABRT record would be accessible only to root. >> >> I believe that maintainers of packages like chrony will be really delighted >> with this change, while will not weaken security of Fedora for regular users. >> >> >> Regards, >> Jakub >> -- >> security mailing list >> secur...@lists.fedoraproject.org >> http://lists.fedoraproject.org/admin/lists/secur...@lists.fedoraproject.org >> -- >> devel mailing list >> devel@lists.fedoraproject.org >> http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org > > -- > devel mailing list > devel@lists.fedoraproject.org > http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
