TIL

TIL - suid_dumpable

Posted by Marcus Folkesson on Tuesday, October 22, 2024

TIL - suid_dumpable

TIL, Today I Learned, is more of a "I just figured this out: here are my notes, you may find them useful too" rather than a full blog post

Ever notice that you can't get a coredump from a process running with extra privileges like capabilites or setuid?

This is related to a previous post [1] about some restrictions that is applied to such processes. I suggest to read that post first to get the context.

suid_dumpable

Processes with extra privileges are not "dumpable" by default. This has some unexpected side-effects (see [1]), but the main thing is that it will not produce a core-dump if it crashes. This could be annoying during the development phase or your late night debugging session. But that is tunable with suid_dumpable.

As stated in the documentation [2]:

This value can be used to query and set the core dump mode for setuid or otherwise protected/tainted binaries. The modes are

0 (default) Traditional behaviour. Any process which has changed privilege levels or is execute only will not be dumped.
1 (debug) All processes dump core when possible. The core dump is owned by the current user and no security is applied. This is intended for system debugging situations only. Ptrace is unchecked. This is insecure as it allows regular users to examine the memory contents of privileged processes.
2 (suidsafe) Any binary which normally would not be dumped is dumped anyway, but only if the core_pattern kernel sysctl is set to either a pipe handler or a fully qualified path. (For more details on this limitation, see CVE-2006-2451.) This mode is appropriate when administrators are attempting to debug problems in a normal environment, and either have a core dump pipe handler that knows to treat privileged core dumps with care, or specific directory defined for catching core dumps. If a core dump happens without a pipe handler or fully qualified path, a message will be emitted to syslog warning about the lack of a correct setting.

Enable coredumps

Either use sysctl: 

1$ sysctl -w fs.suid_dumpable=1

Or by procfs:

1$ echo 1 > /proc/sys/fs/suid_dumpable

To enable genaration of coredumps for all processes. But don't forget this:

This is intended for system debugging situations only. Ptrace is unchecked. This is insecure as it allows regular users to examine the memory contents of privileged processes.

It is meant to be used for debugging situations only.

CATALOG
    FEATURED TAGS
    audio beer birds blacksmith booting buildroot camera clockwork cultivation debugging device drivers dnd docker git go ham home control hugo knives leatherwork libostree linux linux kernel network programming qemu radio swupdate systemd til tools v4l2 vim wireless yocto zephyr