Re: core dumps disabled after chroot?

Sun, 28 Aug 2005 18:04:44 -0700 

Theo de Raadt wrote:
I want to chroot an application I'm developing, but I still want coredumps... 

   _dump.c_
   #include <stdlib.h>
   int main() {
       abort();
   }



   # gcc dump.c -o dump  
   # ./dump

   Abort trap (core dumped)
   # chroot ./ ./dump
   Abort trap                        [note that no core was dumped!]

   



At the moment there is no solution for this.  Coredumps cannot happen
in those processes.


 


Really?  By "at the moment", do you mean to suggest that this might be 
made to work?  I tried to look up what POSIX defines, but google results 
aren't very helpful these days.  I tested on RedHat 8 and it does dump 
core after chroot...



If I may try to make a case for enabling dumps after chroot, please 
consider that the intent of chroot is the increase security by 
preventing a compromised app from accessing the file-system outside.  
But the app was compromised in the first place by exploiting a bug in 
the code (i.e. buffer overrun) and bugs are many times fixed through 
stacktrace analysis.  Especially with 3.8's new memory-management 
(mmap'ed guard pages, etc.) and the fact that OBSD's user-base is 
paranoid enough to chroot as much as possible - I would think that dumps 
after chroot would be helpful...



BTW, I not only want to use chroot to secure my application, but also to 
aids in software deployment - that is, the installer prompts the user 
where to install (which will become the chroot) - not only does this 
free up my logic from having to figure out where it was installed using 
path manipulation (it can always assume / for its file access needs), 
but I can also have multiple instances installed - as the global 
filesystem's namespace is no longer an issue.  [I guess in a way, this 
is some of what has motivated the development of FreeBSD's jailNG, 
UserModeLinux, and Vmware's ESX/GSX servers...]



I am aware that root can bust out of a chroot and so dropping perms via 
setuid() and its variants is fairly common.  I also know that setuid() 
disables cores [a policy I disagree with for the same reasons], but I 
have found a way to get around that using a combination of fork() and 
execv() - so my only remaining issue is with chrooted processes not 
dumping core...



Kent















    











					Reply via email to