Message ID | 1504527204-24737-1-git-send-email-ldir@darbyshire-bryant.me.uk |
---|---|
State | Accepted |
Headers | show
Return-Path: <lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133; helo=bombadil.infradead.org; envelope-from=lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="oPWGFjHv"; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=darbyshire-bryant.me.uk header.i=@darbyshire-bryant.me.uk header.b="kvtBFQmY"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3xm80F2pVjz9sNq for <incoming@patchwork.ozlabs.org>; Mon, 4 Sep 2017 22:14:05 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version:Message-Id:Date:To :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=ibRqSY4t5UN77zFLYtzIJvDYZd8Vvri4AqwkhLCio8I=; b=oPWGFjHv9M3dJ7 z3lU4q6vO82s6h6HW8hBM2TWSfBKzSfMFeIrRyMkYqX8nn3s7Ie7emOYmnFDxgZmV3mGKBF11LbSj 720RDbIVoRmZ5hMoNS666Te1Axd83TOosc3hFHBfkXm5JxITWueoETulyA36oJf31JqMvMtXZc8mP /B1RrIgkeSZ9X68yYRbakBszbXDTWYGKKtjhhhjwkgP+ooiHCt7VWPJ+T9tfXg+vyMqwSQRaHztuA oRtRxwr2JoDnBZtU19LcAm4NCpjkXrlqP3RQatSqCcKffi4Jjn7q/2VqqFjzzgYH9VgvIYlKs8/wK yAwr+BLoV+ZhKQaPKk/A==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1doqGM-0000l6-2j; Mon, 04 Sep 2017 12:13:58 +0000 Received: from mail-eopbgr20066.outbound.protection.outlook.com ([40.107.2.66] helo=EUR02-VE1-obe.outbound.protection.outlook.com) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1doqGI-0000i6-3f for lede-dev@lists.infradead.org; Mon, 04 Sep 2017 12:13:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=darbyshire-bryant.me.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ThoEMoFP/m+/BQSzP9/2tXpxSJszsJYOPraBUCmkur0=; b=kvtBFQmYr3q38uKmBXF5QCqOK0VBZtmu3bL6Lk8oT8Re8rxFcMoJQXPj6L2ErXqQXIU9i7Soac508nBjRx6znohOZjP6uXCPcKHnFrbVr2jZTGj9DzVM7DS6lsqdJcIvcd3kOc91vJmkgR1ak+6QKHtPYKzwii2k6kcY9Pc/AoI= Received: from Animal.darbyshire-bryant.me.uk (2a02:c7f:1232:220::fb0e) by HE1PR07MB1036.eurprd07.prod.outlook.com (2a01:111:e400:581b::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.35.3; Mon, 4 Sep 2017 12:13:29 +0000 From: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> To: lede-dev@lists.infradead.org Date: Mon, 4 Sep 2017 13:13:24 +0100 Message-Id: <1504527204-24737-1-git-send-email-ldir@darbyshire-bryant.me.uk> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 X-Originating-IP: [2a02:c7f:1232:220::fb0e] X-ClientProxiedBy: DB6PR0802CA0041.eurprd08.prod.outlook.com (2603:10a6:4:a3::27) To HE1PR07MB1036.eurprd07.prod.outlook.com (2a01:111:e400:581b::28) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e54a8ce7-bc73-4bf1-a6fa-08d4f38e5a88 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(300000502095)(300135100095)(22001)(2017030254152)(2017082002075)(300000503095)(300135400095)(201703131423075)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:HE1PR07MB1036; X-Microsoft-Exchange-Diagnostics: 1; HE1PR07MB1036; 3:/WJqJ8aTmVAmkomg8xertVW7034tNpiovsomvj+SvKRVdbv30idEfOdIWbLVmxWq9EoukFVc19kZ0t7Xwt6vtAEhJisEIkWf5A21RaebzU9tcSAlo4Zgp8LZKusTl3xXfZH4de9VeAtvYstqc3IF/eA+CMEgPYXE3OzVJHm49TRQOk2j0ZUisKfxly0eiCbyj0XdC260+56+9FrSsL8S2BOi8JZQafhFVW8UG7IK/ynQ4ZVr23IE7gGPa/qmuGoC; 25:rWnaeNS+qgjysMqHFOXbnztwrUwVyD7meYZadbKS7wSitObek4nbWmSbGwB4/z2c/M288pBOS754xdTvoqaNrzw7iO/4jyIOD+wXQgI9aQD4qmkIE+VNx7WzbHvswj0ASNj2FrVT35cXpAl15iYEL8VusFkDHKe+1gYgr6J8xgShq9tnMSRFKwUcRlZJXgdWpr4NODmqLbAc7TaPb8zH93yrqrKCT7yoqqNyiNXmghBd5pDJAm7q8aeMQDzhaGMZmawQqjj3e2E1ylZDurKaJ3/W30/i9Sd3B9Xtce6o9G9GVvTDSYRTCrdjOgo3cY2VJDMnPsnZyPw1qwsPWY0yZw==; 31:EhD4hYp3ZCdleLjPrCHGQdFFGHeCTDX6L+oOCMLENyUQdQV3TMPpO6OzmnKzsEZzn6fjT3nVeKqUOzJgdUHB2bkiudUL2akTd1fBNiTfb40DktEr1sYVhawLau+EHQCPqeHupJxsbrFf9rjql+C5QsHroQT51E6ZQ9i366N5LtbaTajxanbnDrqWohaS2tj6rQT3VW/LiXYS+zqxOJx8jkXPjnjqhHkNVUXSBT857ZY= X-MS-TrafficTypeDiagnostic: HE1PR07MB1036: X-Exchange-Antispam-Report-Test: UriScan:(192374486261705); X-Microsoft-Antispam-PRVS: <HE1PR07MB1036843EF5963C04208AA633A5910@HE1PR07MB1036.eurprd07.prod.outlook.com> X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(93001095)(100000703101)(100105400095)(6041248)(20161123560025)(20161123562025)(20161123564025)(20161123555025)(2016111802025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(6043046)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:HE1PR07MB1036; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:HE1PR07MB1036; X-Microsoft-Exchange-Diagnostics: 1; HE1PR07MB1036; 4:XYPsgDieB06h6o8BiP5CqzivEClj/MgCKESmBzyfIlzJVxsMMw1tgdrENtQJ+TT5mxxDMX4NjwWN0L0lhUUoCVH5/24i9dBdFs7SnZcUEOiAw6MoEO7hCxZMba9oxzEPaDl29wZnSx/Qlrcb3CRbpqK0jQKliC+FFQIHjyYx+fnpHf6CgbkKqhSjmbsrsTxgdJS66QB+yeJ4Ak3ueAt1bzVU6aFEUIjz6pVYSupoS5keaxKQ1x1WT4Hi/0rOtOoKWpbKVn8w+19JdM3S28bGTzufX2tEC/ZbNXj822SewKw= X-Forefront-PRVS: 0420213CCD X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(4630300001)(7370300001)(6009001)(39830400002)(189002)(199003)(52314003)(2906002)(47776003)(5003940100001)(53416004)(106356001)(7350300001)(33646002)(105586002)(69596002)(42186005)(6116002)(966005)(97736004)(36756003)(5660300001)(478600001)(50226002)(81166006)(101416001)(8676002)(81156014)(107886003)(110136004)(6306002)(6486002)(53936002)(25786009)(189998001)(305945005)(7736002)(4326008)(42882006)(6916009)(6666003)(50986999)(48376002)(74482002)(2361001)(2351001)(50466002)(68736007); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB1036; H:Animal.darbyshire-bryant.me.uk; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received-SPF: None (protection.outlook.com: darbyshire-bryant.me.uk does not designate permitted sender hosts) Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=kevin@darbyshire-bryant.me.uk; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; HE1PR07MB1036; 23:tXoT3yBZaVk3dOvgOPPQIuOmZgufHsEtep7nBh+T5?= QinNF9x1ayHPMAlHw+HmOMwltJbSm4VETxUFD6+gW5ru7dlIS6ojX+ZEi4YNoecQgPofxOzxDdyMB28iRVh7O0Ggwx++ETUA5eA/4BQhhIqiY/dlJsV9Ew8T/r7EJGcfeSDYPQgvD8jPUBM6T5ehAGbvtCcgTmS5E5j5XSJmhZoJ5GxAtUnZ7amChQSmj/72EmA+U8Eyn9te3RL5kkCMIn0FCJr8x/2k7RJJC2fOzqCT916ggFlHqGMILyrTU0ccxbS6ZHvAt0pI8FaVYbHSN1B8nD/f4tnYMbgRzVZ+A4NCMsxDLHNBMp87Le15FFY18m+UQCq7V0pL8WEqFFL9rgAC0HbRO+7zHEaEsHqD5nVCrRVH5VX0R7S+ten39mrquSeGQxD7VU+YQ1xlSmrpZFOre3C/QDuIitBQYT4712BAoPQS+h0nd86lK17Zzjmi677WFQyEpX7rDDaCOcuXJ5NAhlbPR4GwKuiOWi1dyMGjZG8o0KG3/ufP2MlhT+IsuUoHfuYxp9/BoHWTynIqI0vocLm12AvN06IDz2BTwj8k11FlurgTjzMY2Yp6fvNsvdxr6Ix+5dd+LjlsYWVnqNr5Ifx84vfpPFklsoH4oKaa94/9oECoipDLEotExbLMsRKEshmzcdcV+k9o3zkJ30NvuXg9dJDfGbWnKVCjF9zZOzvMP5Nb7iL0PboWCWTWsCk8xDxcqlNU8mnrUF2ItHRCT0gWLbrFDwVD4IKCJ+ZMuSd9ghoRRfySO9RPOq6lz9Bxt9fplbWZjrazxV7JtCTJSrTSNWk8g722PmigMPFWFzrrEdWpte+7CeO1O2NPiylLb1RYw27BHv/D044VtDufk7L9Vy7d8BdBwR4AeBTtEy4a5As7KpEH79VcyCcSLsETCPFpXF6bG86HbJkNCUH7pLsAN6attx4TevSeUGRYrtb2oTs/uCH6isWYoKALDDDjdChcCU502zNohgcE9YsJdAv3fClV0Az2wj4xmCz0u0oLWRr5jXVVvYUtZWLIa8cYKKHGRuR6BPXEwN54tJZ8iR1fJyXDW79ptCz113vT+iDqXSGekExRNKCldvlAlds3d54NEEvPZHDQVTKs0qk1KQZFfXkTV0zhT/j+Ji5OA== X-Microsoft-Exchange-Diagnostics: 1; HE1PR07MB1036; 6:DEMuhHygE12+OcKpL07+0+74jPAeAAwaprmN8FPA2nKeiyUXKU3t/Y2UQmJ5EghKhxTSqoGwK+vpHR+wx8+sZeanujq1X7tzf5+D18S5vER6dv7hWuysQEclYcmr3/ciHWln6MuaWGCQLI8hDRSItcR8hFBIoqWmPreVzWbPTKlbpGb16asxYmZDH7SauSvFQ8CzTlinsy7JbIGtKahCRM4ka3NNYvVR7lOAV/5voakQporb4qB0tWmzPBGot0OHCjJKNOat9VHxLOWeztmRWymgD9DZe7MlxfJ0ePc3qbWz5AGbMSF2FEWYYSNWHw/h72cOQ0LrzJ37dJ0SFS6NuA==; 5:dwsk2+oAgIC/9d0/Uu0C2+N1+xgPKuXKjz8fiQxIb9aWJkIDfYlITszfqEm+67Jeip7WdZ4TM6AWSqmFA/7fQjcfum6zbID8oDd34gwZnBmJJHgKJnEkyEE3OnrYBwqFiuv3V+FWubUUHCDWt8baCA==; 24:sAmCpjWEvb39YCTdf3Z9QdS5d46LGBHvqkxtz+bKnendzVaONNvh578Xtk+gfxHb5CPK1oL2DRXSvPkLQUi+OiHF/xyH2EKhj9JkmjI64QQ=; 7:HiIWOwVv7N7P1AGbjSjgbxNMU9uIiZIL5Qs5bH+yzLqcxWIPe04z2ysj6y3Zoh9Trlc/7UNmdPDE9667bM4y8vVtg6Ivw+A2+H9xOOi39kouOvtKdPoIq/i1p4UZxhPu1lcFLbknkVNzZsl/c02NK21g+MEEOxjNhn3FlxSm6YpTmoIKGaY8to9qSuO4f1R2G5wX+TDnGbihJ4hheQc4KAqOIcGjpNyyW0MqWSXvocE= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: darbyshire-bryant.me.uk X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Sep 2017 12:13:29.2924 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB1036 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170904_051354_589458_797E0D71 X-CRM114-Status: GOOD ( 10.47 ) X-Spam-Score: -3.0 (---) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-3.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [40.107.2.66 listed in list.dnswl.org] -1.0 RCVD_IN_MSPIKE_H5 RBL: Excellent reputation (+5) [40.107.2.66 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders Subject: [LEDE-DEV] [PATCH] basefiles: allow suid coredumps X-BeenThere: lede-dev@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: <lede-dev.lists.infradead.org> List-Unsubscribe: <http://lists.infradead.org/mailman/options/lede-dev>, <mailto:lede-dev-request@lists.infradead.org?subject=unsubscribe> List-Archive: <http://lists.infradead.org/pipermail/lede-dev/> List-Post: <mailto:lede-dev@lists.infradead.org> List-Help: <mailto:lede-dev-request@lists.infradead.org?subject=help> List-Subscribe: <http://lists.infradead.org/mailman/listinfo/lede-dev>, <mailto:lede-dev-request@lists.infradead.org?subject=subscribe> Cc: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Lede-dev" <lede-dev-bounces@lists.infradead.org> Errors-To: lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org |
Series |
[LEDE-DEV] basefiles: allow suid coredumps
|
expand
|
diff --git a/package/base-files/files/etc/sysctl.conf b/package/base-files/files/etc/sysctl.conf index 91a3ac9..ddc7a9b 100644 --- a/package/base-files/files/etc/sysctl.conf +++ b/package/base-files/files/etc/sysctl.conf @@ -1,5 +1,6 @@ kernel.panic=3 kernel.core_pattern=/tmp/%e.%t.%p.%s.core +fs.suid_dumpable=2 net.ipv4.conf.default.arp_ignore=1 net.ipv4.conf.all.arp_ignore=1
Set sysctl fs.suid_dumpable = 2 This allows suid processes to dump core according to kernel.core_pattern setting. LEDE typically uses suid to drop root priviledge rather than gain it but without this setting any suid process would be unable to produce coredumps (e.g. dnsmasq) Processes still need to set a non zero core file process limit ('ulimit -c unlimited' or if procd used 'procd_set_param limits core="unlimited"') in order to produce a core. This setting removes an obscure stumbling block along the way. From https://www.kernel.org/doc/Documentation/sysctl/fs.txt suid_dumpable: This value can be used to query and set the core dump mode for setuid or otherwise protected/tainted binaries. The modes are 0 - (default) - traditional behaviour. Any process which has changed privilege levels or is execute only will not be dumped. 1 - (debug) - all processes dump core when possible. The core dump is owned by the current user and no security is applied. This is intended for system debugging situations only. Ptrace is unchecked. This is insecure as it allows regular users to examine the memory contents of privileged processes. 2 - (suidsafe) - any binary which normally would not be dumped is dumped anyway, but only if the "core_pattern" kernel sysctl is set to either a pipe handler or a fully qualified path. (For more details on this limitation, see CVE-2006-2451.) This mode is appropriate when administrators are attempting to debug problems in a normal environment, and either have a core dump pipe handler that knows to treat privileged core dumps with care, or specific directory defined for catching core dumps. If a core dump happens without a pipe handler or fully qualifid path, a message will be emitted to syslog warning about the lack of a correct setting. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> --- package/base-files/files/etc/sysctl.conf | 1 + 1 file changed, 1 insertion(+)