Control: tags -1 + patch On Wed, 13 Mar 2019 08:16:16 +0800 Paul Wise <p...@debian.org> wrote: > On Tue, 2019-03-12 at 15:50 +0100, Jakub Wilk wrote: > > > I don't understand why /var/crash is world-writable > > I guess that is for when the core dump handler is unused and probably I > forgot to change it when switching to the core dump handler.
I confirmed that when the alternate kernel.core_pattern is in use, the /var/crash directory must be world-writeable otherwise the core files will not be written. I intend to use the attached patch to fix this issue, please review it. -- bye, pabs https://wiki.debian.org/PaulWise
From c3791a6999820b00071167e965571e6cd2acc62d Mon Sep 17 00:00:00 2001 From: Paul Wise <p...@debian.org> Date: Wed, 13 Mar 2019 14:10:36 +0800 Subject: [PATCH 1/3] Do not use a world-writable /var/crash with the dumper script Fixes: https://bugs.debian.org/924397 --- debian/changelog | 7 +++++++ debian/corekeeper.lintian-overrides | 2 +- debian/rules | 2 +- debian/sysctl-linux/corekeeper.conf | 5 ++++- 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index 43ec51f..8916e17 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +corekeeper (1.7) UNRELEASED; urgency=medium + + * Do not use a world-writable /var/crash with the dumper script + (Closes: #924397) + + -- Paul Wise <p...@debian.org> Wed, 13 Mar 2019 14:09:50 +0800 + corekeeper (1.6) unstable; urgency=medium * Prevent installation with other core dump handlers: diff --git a/debian/corekeeper.lintian-overrides b/debian/corekeeper.lintian-overrides index 1e248d9..955d7e6 100644 --- a/debian/corekeeper.lintian-overrides +++ b/debian/corekeeper.lintian-overrides @@ -1,6 +1,6 @@ # /var/crash is intentionally world-writable to allow for # centralized core dumps. -non-standard-dir-perm +[kfreebsd-any]: non-standard-dir-perm # The postrm script checks if systemd is running before # using the systemctl command diff --git a/debian/rules b/debian/rules index a44b38b..7348673 100755 --- a/debian/rules +++ b/debian/rules @@ -10,7 +10,7 @@ script=debian/corekeeper/usr/lib/corekeeper/dump override_dh_fixperms: dh_fixperms - chmod 1777 debian/corekeeper/var/crash + if [ ! -e $(script) ; then chmod 1777 debian/corekeeper/var/crash ; fi if [ -e $(script) ] ; then chmod 0755 $(script) ; fi override_dh_installinit: diff --git a/debian/sysctl-linux/corekeeper.conf b/debian/sysctl-linux/corekeeper.conf index e6fcb90..66bebb4 100644 --- a/debian/sysctl-linux/corekeeper.conf +++ b/debian/sysctl-linux/corekeeper.conf @@ -4,8 +4,11 @@ # Non-root users can see that something crashed, no way to fix that. # It requires Linux 3.7-rc1, see v3.6-6800-g12a2b4b in linux.git for info. # If you use it with an earlier kernel then only root can access core dumps. -# If you don't want to use it, comment core_pattern below and uncomment this: +# If you don't want to use it, comment core_pattern below, dpkg-statoverride +# /var/crash to mode 1777 and uncomment this alternate core_pattern: #kernel.core_pattern = /var/crash/%p-%u-%g-%s-%t-%h-%E.core +# When switching back to the default core pattern use mode 0755 for /var/crash +# as it is unsafe to use the dumper with a world-writable directory. kernel.core_pattern = |/usr/lib/corekeeper/dump %d %u %p-%u-%g-%s-%t-%h-%E.core kernel.core_uses_pid = 1 fs.suid_dumpable = 2 -- 2.20.1
signature.asc
Description: This is a digitally signed message part