6635f57d3e
Right now the kernel will not dump anything that went through setuid or setgid. But it is routine for daemons to do that, and it makes things hard to debug. systemd-coredump saves the coredump readable by the users the process was running as. This should be enough to avoid information leakage. So let's also tell the kernel to do the coredump. For https://bugzilla.redhat.com/show_bug.cgi?id=1790972. Both patterns are stored in the same file, so they are enabled or disabled together. (Though suid_dumpable=2 is supposed to be safe even when writing to plain files.)
28 lines
1.2 KiB
Plaintext
28 lines
1.2 KiB
Plaintext
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
# See sysctl.d(5) for the description of the files in this directory.
|
|
|
|
# Pipe the core file to systemd-coredump. The systemd-coredump process spawned
|
|
# by the kernel will start a second copy of itself as the
|
|
# systemd-coredump@.service, which will do the actual processing and storing of
|
|
# the core dump.
|
|
#
|
|
# See systemd-coredump(8) and core(5).
|
|
kernel.core_pattern=|@rootlibexecdir@/systemd-coredump %P %u %g %s %t %c %h
|
|
|
|
# Also dump processes executing a set-user-ID/set-group-ID program that is
|
|
# owned by a user/group other than the real user/group ID of the process, or
|
|
# a program that has file capabilities. ("2" is called "suidsafe" in core(5)).
|
|
#
|
|
# systemd-coredump will store the core file owned by the effective uid and gid
|
|
# of the running process (and not the filesystem-user-ID which the kernel uses
|
|
# when saving a core dump).
|
|
#
|
|
# See proc(5), setuid(2), capabilities(7).
|
|
fs.suid_dumpable=2
|