core: set dumpable flag after setuid

When ceph-* drops drops privileges via setuid, core dumps are no longer
generated because its DUMPABLE flag is cleared. We have to manually
turn that back on.

From prctl(2):

      Normally, this flag is set to 1.  However, it is reset to the current value contained in the file /proc/sys/fs/suid_dumpable (which by default has the value 0), in the fol‐
      lowing circumstances:

      *  The process's effective user or group ID is changed.

      *  The process's filesystem user or group ID is changed (see credentials(7)).

      *  The process executes (execve(2)) a set-user-ID or set-group-ID program, or a program that has capabilities (see capabilities(7)).

Fixes: http://tracker.ceph.com/issues/17650
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
(cherry picked from commit ff0e521434acb8c57c65ce3d2a2b9af4cfe914f1)

diff --git a/src/global/global_init.cc b/src/global/global_init.cc
index 38636df404b535478a4b1f3509ba6f847417070d..daff81a323a9fdf65be0146913c0603f22b5c4ad 100644 (file)
--- a/src/global/global_init.cc
+++ b/src/global/global_init.cc
@@ -36,6 +36,10 @@
 #include <errno.h>
 #include <deque>
 
+#ifdef HAVE_SYS_PRCTL_H
+#include <sys/prctl.h>
+#endif
+
 #define dout_subsys ceph_subsys_
 
 static void global_init_set_globals(CephContext *cct)
@@ -270,6 +274,12 @@ void global_init(std::vector < const char * > *alt_def_args,
     }
   }
 
+#if defined(HAVE_SYS_PRCTL_H)
+  if (prctl(PR_SET_DUMPABLE, 1) == -1) {
+    cerr << "warning: unable to set dumpable flag: " << cpp_strerror(errno) << std::endl;
+  }
+#endif
+
   // Expand metavariables. Invoke configuration observers. Open log file.
   g_conf->apply_changes(NULL);