mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
coredump: dump priviliges when processing system coredumps
Let's add an extra-safety net and change UID/GID to the "systemd-coredump" user when processing coredumps from system user. For coredumps of normal users we keep the current logic of processing the coredumps from the user id the coredump was created under. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=87354
This commit is contained in:
parent
15a900327a
commit
888e378da2
@ -4870,7 +4870,6 @@ nodist_systemunit_DATA += \
|
|||||||
GENERAL_ALIASES += \
|
GENERAL_ALIASES += \
|
||||||
$(systemunitdir)/systemd-timesyncd.service $(pkgsysconfdir)/system/sysinit.target.wants/systemd-timesyncd.service
|
$(systemunitdir)/systemd-timesyncd.service $(pkgsysconfdir)/system/sysinit.target.wants/systemd-timesyncd.service
|
||||||
|
|
||||||
|
|
||||||
nodist_pkgsysconf_DATA += \
|
nodist_pkgsysconf_DATA += \
|
||||||
src/timesync/timesyncd.conf
|
src/timesync/timesyncd.conf
|
||||||
|
|
||||||
|
3
README
3
README
@ -203,6 +203,9 @@ USERS AND GROUPS:
|
|||||||
Similarly, the kdbus dbus1 proxy daemon requires the
|
Similarly, the kdbus dbus1 proxy daemon requires the
|
||||||
"systemd-bus-proxy" system user and group to exist.
|
"systemd-bus-proxy" system user and group to exist.
|
||||||
|
|
||||||
|
Similarly, the coredump support requires the
|
||||||
|
"systemd-coredump" system user and group to exist.
|
||||||
|
|
||||||
NSS:
|
NSS:
|
||||||
systemd ships with three NSS modules:
|
systemd ships with three NSS modules:
|
||||||
|
|
||||||
|
@ -1106,6 +1106,7 @@ have_coredump=no
|
|||||||
AC_ARG_ENABLE(coredump, AS_HELP_STRING([--disable-coredump], [disable coredump hook]))
|
AC_ARG_ENABLE(coredump, AS_HELP_STRING([--disable-coredump], [disable coredump hook]))
|
||||||
if test "x$enable_coredump" != "xno"; then
|
if test "x$enable_coredump" != "xno"; then
|
||||||
have_coredump=yes
|
have_coredump=yes
|
||||||
|
M4_DEFINES="$M4_DEFINES -DENABLE_COREDUMP"
|
||||||
fi
|
fi
|
||||||
AM_CONDITIONAL(ENABLE_COREDUMP, [test "$have_coredump" = "yes"])
|
AM_CONDITIONAL(ENABLE_COREDUMP, [test "$have_coredump" = "yes"])
|
||||||
|
|
||||||
|
@ -569,9 +569,19 @@ static int change_uid_gid(const char *context[]) {
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = parse_gid(context[CONTEXT_GID], &gid);
|
if (uid <= SYSTEM_UID_MAX) {
|
||||||
if (r < 0)
|
const char *user = "systemd-coredump";
|
||||||
return r;
|
|
||||||
|
r = get_user_creds(&user, &uid, &gid, NULL, NULL);
|
||||||
|
if (r < 0) {
|
||||||
|
log_warning_errno(r, "Cannot resolve %s user. Proceeding to dump core as root: %m", user);
|
||||||
|
uid = gid = 0;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
r = parse_gid(context[CONTEXT_GID], &gid);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
|
||||||
return drop_privileges(uid, gid, 0);
|
return drop_privileges(uid, gid, 0);
|
||||||
}
|
}
|
||||||
|
@ -16,3 +16,6 @@ u systemd-resolve - "systemd Resolver"
|
|||||||
m4_ifdef(`ENABLE_TIMESYNCD',
|
m4_ifdef(`ENABLE_TIMESYNCD',
|
||||||
u systemd-timesync - "systemd Time Synchronization"
|
u systemd-timesync - "systemd Time Synchronization"
|
||||||
)m4_dnl
|
)m4_dnl
|
||||||
|
m4_ifdef(`ENABLE_COREDUMP',
|
||||||
|
u systemd-coredump - "systemd Core Dumper"
|
||||||
|
)m4_dnl
|
||||||
|
Loading…
Reference in New Issue
Block a user