From: Alexey Dobriyan <adobriyan@gmail.com>
To: akpm@linux-foundation.org
Cc: linux-kernel@vger.kernel.org, keescook@chromium.org
Subject: [PATCH] coredump: clarify "unsafe core_pattern" warning
Date: Sat, 29 Oct 2016 18:21:24 +0300 [thread overview]
Message-ID: <20161029152124.GA1258@avx2> (raw)
I was amused to find "unsafe core_pattern" warning having these lines
in /etc/sysctl.conf:
fs.suid_dumpable=2
kernel.core_pattern=/core/core-%e-%p-%E
kernel.core_uses_pid=0
Turns out kernel is formally right. Default core_pattern is just "core",
which doesn't qualify for secure path while setting suid.dumpable.
Hint admins about solution, clarify sysctl names, delete unnecessary '\'
characters (string literals are concatenated regardless) and reformat
for easier grepping.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
---
kernel/sysctl.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
commit ba93b14a4f61e4563134abab5d81bb8b53c60df9
Author: Alexey Dobriyan <adobriyan@gmail.com>
Date: Sat Oct 29 18:13:57 2016 +0300
kernel.core_dump
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2403,9 +2403,11 @@ static void validate_coredump_safety(void)
#ifdef CONFIG_COREDUMP
if (suid_dumpable == SUID_DUMP_ROOT &&
core_pattern[0] != '/' && core_pattern[0] != '|') {
- printk(KERN_WARNING "Unsafe core_pattern used with "\
- "suid_dumpable=2. Pipe handler or fully qualified "\
- "core dump path required.\n");
+ printk(KERN_WARNING
+"Unsafe core_pattern used with fs.suid_dumpable=2.\n"
+"Pipe handler or fully qualified core dump path required.\n"
+"Set kernel.core_pattern before fs.suid_dumpable.\n"
+ );
}
#endif
}
next reply other threads:[~2016-10-29 13:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-29 15:21 Alexey Dobriyan [this message]
2016-10-29 16:00 ` [PATCH] coredump: clarify "unsafe core_pattern" warning Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161029152124.GA1258@avx2 \
--to=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox