On 23/02/2010 23:30, Stuart Henderson whispered from the shadows...:
> kern.nosuidcoredump=2 works fine for me in -current (though =0 seems
> broken), so please try with a newer OS version. This should work, it's
> needed for debugging Xorg too.
OK. I can confirm your results, see below for the verbose blow by blow.
So for myself, its proven that if I upgrade to 4.6, there is at least
one method (sysctl kern.nosuidcoredump=2) to debug setuid() daemon
servers. I can live with that; just document kern.nosuidcoredump=2
please in core(5) or setuid(2) for developers.
Thank you all for your time.
Anthony Howe
--- long version ---
I'll going to skip the side debate of why my home file server (4.0) and
my production machine (4.3) are not at least up to date with 4.6. That
way be fiery dragons.
I've pulled out an old 500 Mhz machine from a cupboard and have
installed 4.6 on it...
OpenBSD 4.6 (GENERIC) #58: Thu Jul 9 21:24:42 MDT 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD-K6(tm) 3D processor ("AuthenticAMD" 586-class) 502 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX
real mem = 532180992 (507MB)
avail mem = 505774080 (482MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 07/15/95, BIOS32 rev. 0 @ 0xfdb60,
SMBIOS rev. 2.1 @ 0xf5e60 (26 entries)
bios0: vendor American Megatrends Inc. version "062601" date 07/15/97
bios0: M599LMR M599LMR
...
Here is the nulld.c code, slightly tweaked for easy enable/disable of
setuid().
usage: nulld [numeric-uid-to-set]
Please note that this is not how I would write a setuid daemon server;
its strictly meant for testing behaviour of core dumps with respect to
setuid().
---
#include <stdlib.h>
#include <string.h>
int
main(int argc, char **argv)
{
(void) daemon(1,1);
(void) chdir("/tmp");
if (1 < argc) {
printf("before uid=%d euid=%d\n", getuid(), geteuid());
(void) setuid(strtol(argv[1], NULL, 10));
printf("after uid=%d euid=%d\n", getuid(), geteuid());
}
for (;;)
sleep(60);
/* NOTREACHED */
return 0;
}
---
Three tests, assumes logged in as root, assumes ulimit -c unlimited:
1. No setuid(), assert kern.nosuidcoredump=1; core dump in /tmp as
expected. No argument.
r...@pizza:# rm /tmp/*core /var/crash/*core
rm: /tmp/*core: No such file or directory
rm: /var/crash/*core: No such file or directory
r...@pizza:# sysctl kern.nosuidcoredump=1
kern.nosuidcoredump: 1 -> 1
r...@pizza:# ./nulld
r...@pizza:# pkill -ABRT nulld
r...@pizza:# ls /tmp /var/crash
/tmp:
.ICE-unix/ .X11-unix/ nulld.core
/var/crash:
minfree
r...@pizza:#
2. setuid(1), nosuidcoredump=0; no core dump in /tmp; there is a problem
in OpenBSD 4.6, though given Theo's earlier comments this appears to be
policy, which I can accept if its document in core(5) and/or setuid(2)
man pages.
r...@pizza:# rm /tmp/*core /var/crash/*core
rm: /var/crash/*core: No such file or directory
r...@pizza:# sysctl kern.nosuidcoredump=0
kern.nosuidcoredump: 1 -> 0
r...@pizza:# ./nulld 1
r...@pizza:# before uid=0 euid=0
after uid=1 euid=1
r...@pizza:# pkill -ABRT nulld
r...@pizza:# ls /tmp /var/crash
/tmp:
.ICE-unix/ .X11-unix/
/var/crash:
minfree
r...@pizza:#
3. setuid(1), nosuidcoredump=2; core dump in /var/crash; no problem with
OpenBSD 4.6.
r...@pizza:# rm /tmp/*core /var/crash/*core
rm: /tmp/*core: No such file or directory
rm: /var/crash/*core: No such file or directory
r...@pizza:# sysctl kern.nosuidcoredump=2
kern.nosuidcoredump: 0 -> 2
r...@pizza:# ./nulld 1
r...@pizza:# before uid=0 euid=0
after uid=1 euid=1
r...@pizza:# pkill -ABRT nulld
r...@pizza:# ls /tmp /var/crash
/tmp:
.ICE-unix/ .X11-unix/
/var/crash:
minfree nulld.core
r...@pizza:#
--
Anthony C Howe Skype: SirWumpus SnertSoft
+33 6 11 89 73 78 Twitter: SirWumpus BarricadeMX & Milters
http://snert.com/ http://nanozen.info/ http://snertsoft.com/
