Pages: Welcome | Projects

Core dumps on CentOS 7

2017/10/17
Tags: [ GNU/Linux ]

I started by seeking on the Internet about this, I found out a lot of pointers to http://www.kibinlabs.com/re-enabling-core-dumps-redhat-7/ which is not available (at least for the moment). I had to figure out in other ways.

First off, the "non-systemd" way of having this is:

In Systemd the rules are somewhat different:

Security implications of fs.suid_dumpable=2

This is a value which is suggested around the web as a magic, without mentioning the security risks associated to it.

To begin with, what does 2 mean? Quoting [https://www.kernel.org/doc/Documentation/sysctl/fs.txt][kern]

suid_dumpable:

This value can be used to query and set the core dump mode for setuid
or otherwise protected/tainted binaries. The modes are

0 - (default) - traditional behaviour. Any process which has changed
    privilege levels or is execute only will not be dumped.
1 - (debug) - all processes dump core when possible. The core dump is
    owned by the current user and no security is applied. This is
    intended for system debugging situations only. Ptrace is unchecked.
    This is insecure as it allows regular users to examine the memory
    contents of privileged processes.
2 - (suidsafe) - any binary which normally would not be dumped is dumped
    anyway, but only if the "core_pattern" kernel sysctl is set to
    either a pipe handler or a fully qualified path. (For more details
    on this limitation, see CVE-2006-2451.) This mode is appropriate
    when administrators are attempting to debug problems in a normal
    environment, and either have a core dump pipe handler that knows
    to treat privileged core dumps with care, or specific directory
    defined for catching core dumps. If a core dump happens without
    a pipe handler or fully qualifid path, a message will be emitted
    to syslog warning about the lack of a correct setting.

And why is it a risk? CVE-2006-2451 as mentioned in the kernel documentation.

Another interesting point, quoting https://serverfault.com/questions/56800/on-redhat-what-does-kernel-suid-dumpable-1-mean#56818:

So the idea is, if there are core dumps and a regular user can read them, they might find out privileged information. If the program is dumped well it had privileged information in memory, and the user can read the dump, they might find out that privileged information.