From 3667c56c8781c1f1c14007ccf7936dd033350009 Mon Sep 17 00:00:00 2001 From: Patrick Donnelly Date: Wed, 19 Oct 2016 19:10:14 -0400 Subject: [PATCH] core: set dumpable flag after setuid MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit When ceph-* drops drops privileges via setuid, core dumps are no longer generated because its DUMPABLE flag is cleared. We have to manually turn that back on. From prctl(2): Normally, this flag is set to 1. However, it is reset to the current value contained in the file /proc/sys/fs/suid_dumpable (which by default has the value 0), in the fol‐ lowing circumstances: * The process's effective user or group ID is changed. * The process's filesystem user or group ID is changed (see credentials(7)). * The process executes (execve(2)) a set-user-ID or set-group-ID program, or a program that has capabilities (see capabilities(7)). Fixes: http://tracker.ceph.com/issues/17650 Signed-off-by: Patrick Donnelly (cherry picked from commit ff0e521434acb8c57c65ce3d2a2b9af4cfe914f1) --- src/global/global_init.cc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/global/global_init.cc b/src/global/global_init.cc index 38636df404b5..daff81a323a9 100644 --- a/src/global/global_init.cc +++ b/src/global/global_init.cc @@ -36,6 +36,10 @@ #include #include +#ifdef HAVE_SYS_PRCTL_H +#include +#endif + #define dout_subsys ceph_subsys_ static void global_init_set_globals(CephContext *cct) @@ -270,6 +274,12 @@ void global_init(std::vector < const char * > *alt_def_args, } } +#if defined(HAVE_SYS_PRCTL_H) + if (prctl(PR_SET_DUMPABLE, 1) == -1) { + cerr << "warning: unable to set dumpable flag: " << cpp_strerror(errno) << std::endl; + } +#endif + // Expand metavariables. Invoke configuration observers. Open log file. g_conf->apply_changes(NULL); -- 2.47.3