qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan Conway (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (DISPATCH-130) qdrouterd with --daemon and --user options does not dump core.
Date Thu, 02 Apr 2015 19:14:53 GMT

     [ https://issues.apache.org/jira/browse/DISPATCH-130?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Alan Conway updated DISPATCH-130:
    Attachment: qdrouterd

The problem is that if you start qdrouterd as root and it changes it own uid via the --user
option, the kernel still considers it a privileged process and will not allow it to dump core
without special shenaniagans. This is because it *could* have gotten sensitive information
into memory while it was a root process so a core file might be a security risk.

The solution is to start as a non-root user and not use the --user option.
Attached is an example SYSV init script that does so, it was tested on RHEL6 but something
very like it should work on any SYSV-based system. No systemd script available but the same
logic would apply.

> qdrouterd with --daemon and --user options does not dump core.
> --------------------------------------------------------------
>                 Key: DISPATCH-130
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-130
>             Project: Qpid Dispatch
>          Issue Type: Bug
>          Components: Container
>    Affects Versions: 0.3
>            Reporter: Alan Conway
>            Assignee: Alan Conway
>             Fix For: 0.4
>         Attachments: qdrouterd
> If qdroutered is started with --daemon and --user options, and then is killed with SIGABRT
or crashes, it does not produce a core file. Note both --daemon and --user are reqiured to
produce the problem, either alone does not. Tested on RHEL6 and Fedora 21 as follows:
> Send core files in /tmp, since --daemon will set current directory to /
> {noformat}
> # echo /tmp/core.%e.%p > /proc/sys/kernel/core_pattern
> {noformat}
> Verify we do get a core file with just --daemon
> {noformat}
> # qdrouterd --daemon
> # pkill -e -6 qdrouterd
> qdrouterd killed (pid 11482)
> # ls /tmp/core*
> /tmp/core.qdrouterd.11482
> {noformat}
> Now add --user 
> {noformat}
> # rm /tmp/core*
> # qdrouterd --daemon --user aconway
> # pkill -e -6 qdrouterd
> qdrouterd killed (pid 11432)
> # ls /tmp/core*
> ls: cannot access /tmp/core*: No such file or directory
> {noformat}

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message