openwrtv3/package
Kevin Darbyshire-Bryant 7765e442d0 basefiles: allow suid coredumps
Set sysctl fs.suid_dumpable = 2

This allows suid processes to dump core according to kernel.core_pattern
setting.  LEDE typically uses suid to drop root priviledge rather than
gain it but without this setting any suid process would be unable to
produce coredumps (e.g. dnsmasq)

Processes still need to set a non zero core file process limit ('ulimit
-c unlimited' or if procd used 'procd_set_param limits
core="unlimited"') in order to produce a core.  This setting removes an
obscure stumbling block along the way.

>From https://www.kernel.org/doc/Documentation/sysctl/fs.txt

suid_dumpable:

This value can be used to query and set the core dump mode for setuid
or otherwise protected/tainted binaries. The modes are

0 - (default) - traditional behaviour. Any process which has changed
	privilege levels or is execute only will not be dumped.
1 - (debug) - all processes dump core when possible. The core dump is
	owned by the current user and no security is applied. This is
	intended for system debugging situations only. Ptrace is unchecked.
	This is insecure as it allows regular users to examine the memory
	contents of privileged processes.
2 - (suidsafe) - any binary which normally would not be dumped is dumped
	anyway, but only if the "core_pattern" kernel sysctl is set to
	either a pipe handler or a fully qualified path. (For more details
	on this limitation, see CVE-2006-2451.) This mode is appropriate
	when administrators are attempting to debug problems in a normal
	environment, and either have a core dump pipe handler that knows
	to treat privileged core dumps with care, or specific directory
	defined for catching core dumps. If a core dump happens without
	a pipe handler or fully qualifid path, a message will be emitted
	to syslog warning about the lack of a correct setting.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2017-09-12 22:18:45 +02:00
..
base-files basefiles: allow suid coredumps 2017-09-12 22:18:45 +02:00
boot uboot-envtools: Add support for IPQ806x AP148 and DB149 2017-08-30 18:12:48 +02:00
devel strace: bump to 4.19 2017-09-11 01:56:14 +02:00
firmware ath10k-firmware: update qca9887 firmware to 10.2.4-1.0-00029 2017-08-23 16:34:21 +02:00
kernel ath10k: Re-enable intermediate softqueues for all devices 2017-09-11 17:16:17 +02:00
libs mbedtls: update to 2.6.0 CVE-2017-14032 2017-09-11 01:56:14 +02:00
network tcpdump: bump to 4.9.2 2017-09-11 01:56:14 +02:00
system ubox: update to git HEAD version 2017-09-01 16:05:59 +02:00
utils busybox: update to 1.27.2 2017-08-30 22:34:41 +02:00
Makefile build: cleanup tmp/ dir of target rootfs 2017-05-02 22:10:50 +08:00