1. /proc/sys/fs/suid_dumpable
[root@localhost /proc/sys/fs]$ cat suid_dumpable
02. 理解分析
若程序调用了seteuid()/setegid()改变了进程的有效用户或组,则在默认情况下系统不会为这些进程生成Coredump。很多服务程序都会调用seteuid(),如MySQL,不论你用什么用户运行 mysqld_safe启动MySQL,mysqld进行的有效用户始终是msyql用户。如果你当初是以用户A运行了某个程序,但在ps里看到的 这个程序的用户却是B的话,那么这些进程就是调用了seteuid了。为了能够让这些进程生成core dump,需要将/proc/sys/fs/suid_dumpable 文件的内容改为1(一般默认是0)。
3. 翻译
这个文件中的值决定是否对生成的core dump文件设置set-user-ID或者protected/tainted binaries。三个不同的整数可以被指定:
0(默认)提供传统的行为规则(在Linux2.6.13以前)。一个进程修改身份(通过调用setuid(2),setgid(2),或者类似的调用,或者执行set-user-ID或set-group-ID程序)将不会产生core dump文件或者他的二进制文件没有可读权限。
1(调试模式)dump出所有进程的core信息。core dump文件所属用户是文件系统的用户且没有设置粘贴位。这仅是为了调试,并没有检查ptrace。
2(安全模式)正常的输出不会dump出来(查看上面的0设置),且dump的文件只有root是可读的。允许其他用户删除core dump文件,但是不能阅读。处于安全考虑,这种模式下不允许core dump文件被其他进程或文件覆盖。这个模式适合管理员尝试在普通环境下调试一些问题
/proc/sys/fs/suid_dumpable (since Linux 2.6.13) The value in this file determines whether core dump files are produced for set-user-ID or otherwise protected/tainted binaries. Three different integervalues can be specified:
0 (default) This provides the traditional (pre-Linux 2.6.13) behavior. A core dump will not be produced for a process which has changed credentials (by calling seteuid(2), setgid(2), or similar, or by executing a set-user-ID or set-group-ID program) or whose binary does not have read permission enabled.
1 ("debug") All processes dump core when possible. The core dump is owned by the file system user ID of the dumping process and no security is applied. This is intended for system debugging situations only. Ptrace is unchecked.
2 ("suidsafe") Any binary which normally would not be dumped (see "0" above) is dumped readable by root only. This allows the user to remove the core dump file but not to read it. For security reasons core dumps in this mode will not overwrite one another or other files. This mode is appropriate when administrators are attempting to debug problems in a normal environment.