This is the mail archive of the gdb@sourceware.org mailing list for the GDB project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: unable to attach to setuid program that as reverted it privilege


Andreas,

works great.

Here are a few notes in case someone else has this same problem....

To turn this on, do this:
1) log in as root
2) echo 2 >/proc/sys/kernel/suid_dumpable

To turn this off, do this:
1) log in as root
2) echo 0 >/proc/sys/kernel/suid_dumpable

On some systems the target file might be in /proc/sys/fs

It will not work to just use sudo in front of echo.  You must log in
as root because the redirection has the user's privilege.

I do not know what echo 1 would do.

This is documented as allowing core files to be created for setuid
programs.  What I am using it for is to allow gdb run as a non-root
user to connect to setuid programs that have _permanently_ given up
their root privilege.  Without suid_dumpable enabled, gdb will fail
with a EPERM error even tho the target program is no longer running as
root and can not reacquire root privilege ( a good default behavior ).

This will work fine for my needs, but I would prefer finer grained control.
that is:
1) separate attaching and core dumping.
2) don't turn on this feature for _all_ processes, just select processes.

This should only be used in a controlled environment because of the
security issues.

Because this turns on core dumping it would be prudent to also look
into /proc/sys/kernel/core_pattern to prevent name collision when core
dumps are created.

-- 
Michael Potter

On Jan 23, 2008 2:42 PM, Andreas Schwab <schwab@suse.de> wrote:
> "Michael Potter" <pottmi@gmail.com> writes:
>
> > I will post to a Linux kernel list in a couple of days.  I posted here
> > because I felt that I was likely to find someone who had the same
> > problem in this group.
>
> /proc/sys/kernel/suid_dumpable might be what you are looking for.
>
> Andreas.
>
> --
> Andreas Schwab, SuSE Labs, schwab@suse.de
> SuSE Linux Products GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
> PGP key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
> "And now for something completely different."
>


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]