[vdr] creating core dumps with 1.3.42

Klaus Schmidinger Klaus.Schmidinger at cadsoft.de
Mon Feb 20 00:01:29 CET 2006


Ville Skyttä wrote:
> On Sun, 2006-02-19 at 15:35 +0100, Klaus Schmidinger wrote:
> 
>>Ville Skyttä wrote:
>>
>>>On Thu, 2006-02-16 at 20:01 +0100, leo2 at pec.homeip.net wrote:
>>>
>>>
>>>>The current function to activate core-dumps for vdr running setuid ist only 
>>>>working for kernel > 2.6.13 ( says the comment in vdr.c ).
>>>>Actualy it is not working for 2.4.21 but it was easy an easy change, just 
>>>>replace
>>>>	prctl(PR_SET_DUMPABLE, 2, 0, 0, 0)
>>>>with 
>>>>	prctl(PR_SET_DUMPABLE, 1, 0, 0, 0)
>>>>
>>>>If you need the switch with "2" ( what does "2" mean for >2.6.13 ??)
>>>
>>>
>>>It's "2" intentionally.  "1" is a "no security" mode, "2" makes the core
>>>dumps readable by root only and applies additional checks.  Like the
>>>comment says, "2" is available in kernels >= 2.6.13 only.  For more
>>>info, see eg. the suid_dumpable description here:
>>>http://marc.theaimsgroup.com/?l=linux-kernel&m=109647550421014&w=2
>>>
>>>Yes, the net effect is that the unmodified VDR 1.3.42 won't produce core
>>>dumps at all when not running as root with < 2.6.13 kernels, but IMO
>>>that's a reasonable tradeoff, at least as far as the default is
>>>concerned.
>>
>>So does this mean that '1' would work on older kernels?
> 
> 
> For some values of "work", yes ;)
> 
> 
>>Would it be feasible to use just '1' - after all, there's not
>>much security about a VDR core file.
> 
> 
> Well, the above link contains descriptions about what 1 means.  The
> documentation says "... no security is applied. This is intended for
> system debugging situations only." whereas for 2 they say "...
> attempting to debug problems in a normal environment".  Note that it's
> not only about the file permissions or the core file's contents.  Only 2
> opens the dump file with O_EXCL.  Both 1 and 2 seem to use O_NOFOLLOW
> though.

What is the way a core file is created if an application runs normally
under a non-root user id (as in VDR before implementing the -u option)?
If its the same as with the '1' option, then I'd say let's go for '1',
since there's no difference to the previous behavior - or is there?

Klaus



More information about the vdr mailing list