Bash – On Redhat, what does “kernel.suid_dumpable = 1” mean

bashredhatshell

I'm running a bash script to copy some log files and then restart a service on a Red Hat box. Every time I execute the script, I get the following on my console:


[root@servername ~]# sh /bin/restart_nss.sh
kernel.suid_dumpable = 1
Stopping Service: [ OK ]
Starting Service: [ OK ]
[root@servername ~]#

What does "kernel.suid_dumpable = 1" mean in this case?

Thanks,
IVR Avenger

Best Answer

Some Background:

The setuid bit:
The setuid bit on a executable file makes it so executables that are run by any user, are run as if they were being run by the owner of the executable. So if setuid is set on a program that is owned by root, no matter who runs it, it will be run with root privileges. It is of course not that simple, see this wikipedia article, or get a copy of Steven's Programing in the Unix Environment.

A Core Dump:
A core dump is a dump of the program's working memory to a file. See this wikipedia article.

suid_dumpable:
This controls if the core can be dumped from a setuid program as described above. See below. This is a kernel tunable, you can change it with:

sudo sysctl -w kernel.suid_dumpable=2

You would find out about this tunable in documentation for your sourcode, which if installed, you might find in a directory like: /usr/src/linux-source-2.6.27/Documentation/sysctl/ . In this case, the reference below is in fs.txt in that directory. Use the uname -a command to find out your kernel version.

Why it Matters:

It could be a security risk:
So the idea is, if there are core dumps and a regular user can read them, they might find out privileged information. If the program is dumped well it had privileged information in memory, and the user can read the dump, they might find out that privileged information.

Reference:

This value can be used to query and set the core dump mode for setuid
or otherwise protected/tainted binaries. The modes are

0 - (default) - traditional behaviour. Any process which has changed
   privilege levels or is execute only will not be dumped
1 - (debug) - all processes dump core when possible. The core dump is
   owned by the current user and no security is applied. This is
   intended for system debugging situations only.
2 - (suidsafe) - any binary which normally not be dumped is dumped
   readable by root only. This allows the end user to remove
   such a dump but not access it directly. For security reasons
   core dumps in this mode will not overwrite one another or 
   other files. This mode is appropriate when adminstrators are
   attempting to debug problems in a normal environment.
Related Topic