1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

coredump: dump priviliges when processing system coredumps

Let's add an extra-safety net and change UID/GID to the "systemd-coredump" user when processing coredumps from system
user. For coredumps of normal users we keep the current logic of processing the coredumps from the user id the coredump
was created under.

Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=87354
This commit is contained in:
Lennart Poettering 2016-02-08 23:35:24 +01:00
parent 15a900327a
commit 888e378da2
5 changed files with 20 additions and 4 deletions

View File

@ -4870,7 +4870,6 @@ nodist_systemunit_DATA += \
GENERAL_ALIASES += \ GENERAL_ALIASES += \
$(systemunitdir)/systemd-timesyncd.service $(pkgsysconfdir)/system/sysinit.target.wants/systemd-timesyncd.service $(systemunitdir)/systemd-timesyncd.service $(pkgsysconfdir)/system/sysinit.target.wants/systemd-timesyncd.service
nodist_pkgsysconf_DATA += \ nodist_pkgsysconf_DATA += \
src/timesync/timesyncd.conf src/timesync/timesyncd.conf

3
README
View File

@ -203,6 +203,9 @@ USERS AND GROUPS:
Similarly, the kdbus dbus1 proxy daemon requires the Similarly, the kdbus dbus1 proxy daemon requires the
"systemd-bus-proxy" system user and group to exist. "systemd-bus-proxy" system user and group to exist.
Similarly, the coredump support requires the
"systemd-coredump" system user and group to exist.
NSS: NSS:
systemd ships with three NSS modules: systemd ships with three NSS modules:

View File

@ -1106,6 +1106,7 @@ have_coredump=no
AC_ARG_ENABLE(coredump, AS_HELP_STRING([--disable-coredump], [disable coredump hook])) AC_ARG_ENABLE(coredump, AS_HELP_STRING([--disable-coredump], [disable coredump hook]))
if test "x$enable_coredump" != "xno"; then if test "x$enable_coredump" != "xno"; then
have_coredump=yes have_coredump=yes
M4_DEFINES="$M4_DEFINES -DENABLE_COREDUMP"
fi fi
AM_CONDITIONAL(ENABLE_COREDUMP, [test "$have_coredump" = "yes"]) AM_CONDITIONAL(ENABLE_COREDUMP, [test "$have_coredump" = "yes"])

View File

@ -569,9 +569,19 @@ static int change_uid_gid(const char *context[]) {
if (r < 0) if (r < 0)
return r; return r;
r = parse_gid(context[CONTEXT_GID], &gid); if (uid <= SYSTEM_UID_MAX) {
if (r < 0) const char *user = "systemd-coredump";
return r;
r = get_user_creds(&user, &uid, &gid, NULL, NULL);
if (r < 0) {
log_warning_errno(r, "Cannot resolve %s user. Proceeding to dump core as root: %m", user);
uid = gid = 0;
}
} else {
r = parse_gid(context[CONTEXT_GID], &gid);
if (r < 0)
return r;
}
return drop_privileges(uid, gid, 0); return drop_privileges(uid, gid, 0);
} }

View File

@ -16,3 +16,6 @@ u systemd-resolve - "systemd Resolver"
m4_ifdef(`ENABLE_TIMESYNCD', m4_ifdef(`ENABLE_TIMESYNCD',
u systemd-timesync - "systemd Time Synchronization" u systemd-timesync - "systemd Time Synchronization"
)m4_dnl )m4_dnl
m4_ifdef(`ENABLE_COREDUMP',
u systemd-coredump - "systemd Core Dumper"
)m4_dnl