| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20161029152124.GA1258@avx2>
Date: Sat, 29 Oct 2016 18:21:24 +0300
From: Alexey Dobriyan <adobriyan@...il.com>
To: akpm@...ux-foundation.org
Cc: linux-kernel@...r.kernel.org, keescook@...omium.org
Subject: [PATCH] coredump: clarify "unsafe core_pattern" warning
I was amused to find "unsafe core_pattern" warning having these lines
in /etc/sysctl.conf:
fs.suid_dumpable=2
kernel.core_pattern=/core/core-%e-%p-%E
kernel.core_uses_pid=0
Turns out kernel is formally right. Default core_pattern is just "core",
which doesn't qualify for secure path while setting suid.dumpable.
Hint admins about solution, clarify sysctl names, delete unnecessary '\'
characters (string literals are concatenated regardless) and reformat
for easier grepping.
Signed-off-by: Alexey Dobriyan <adobriyan@...il.com>
---
kernel/sysctl.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
commit ba93b14a4f61e4563134abab5d81bb8b53c60df9
Author: Alexey Dobriyan <adobriyan@...il.com>
Date: Sat Oct 29 18:13:57 2016 +0300
kernel.core_dump
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2403,9 +2403,11 @@ static void validate_coredump_safety(void)
#ifdef CONFIG_COREDUMP
if (suid_dumpable == SUID_DUMP_ROOT &&
core_pattern[0] != '/' && core_pattern[0] != '|') {
- printk(KERN_WARNING "Unsafe core_pattern used with "\
- "suid_dumpable=2. Pipe handler or fully qualified "\
- "core dump path required.\n");
+ printk(KERN_WARNING
+"Unsafe core_pattern used with fs.suid_dumpable=2.\n"
+"Pipe handler or fully qualified core dump path required.\n"
+"Set kernel.core_pattern before fs.suid_dumpable.\n"
+ );
}
#endif
}
Powered by blists - more mailing lists