coredumps

[Andreas Ericsson]

Andrew Ivanov wrote:
>  
> Andreas Ericsson wrote:
>> That's the entire point right there. It's not supposed to be
>> safe. It's supposed to be convenient. I would actually prefer
>> if Nagios didn't dump core at all when started as root, because
>> the core dump can then contain sensitive information.
> 
> Well, that explains a lot.
> 'daemon_dumps_core' option prevent Nagios from dumping cores, doesn't it?

No, it *allows* nagios to dump core. Since the information inside the core
file is potentially sensitive, we don't want to let any random user come
along and read it later.

> And it's turned off by default.

Yes, hence what I said above.

> Honestly, I've thought that all I need to dump core is turn this option on.

Well, assumption is the mother of all fuckups. You're not the first to prove
that idiom right ;-)

> Core files have rights 600,

That depends on your OS. Most set it to (0666 & umask), just like any other
file created on the system. That's not necessarily bad either, as people
in the same group often have a legitimate reason to debug each others code.


> so neither group, nor others can't read them.
> These all are good two-level foolproof protection.
> 
> Ok, to dump cores one should set correct homedir for user nagios,

meep! Not necessarily right.

> turn 'daemon_dumps_core' on, change Nagios startup script
> to use 'su -' and run Nagios under user nagios. This should be enough,
> but not very convenient.
> 

Or you can just alter the start-script to read
HOME=/dump/cores/here $NagiosBin -f $NagiosCfg


> We have security-convenience tradeoff here, and the choice is done
> in favour of security.
> 

Well, some users set the $HOME of accounts not supposed to login to
/var/jail or some such, so your approach would solve absolutely
nothing for them.

> I would prefer to run Nagios 'for debug' the same way as always,
> but just have a possibility to dump core when I want to do that.

The choice is yours, but if the decision was up to me, I wouldn't
accept your patch as is because
* it breaks a pretty standard unix way of doing things
* it doesn't solve a real problem universally
* there are other ways to achieve exactly the same thing already


> If started-for-production Nagios goes crazy, you can't dump core.
> Instead, you have to restart it for-debug and wait for the bug again.
> It's not convenient too.
> 

True that, but when a program has already started going wild it's far
too late to decide that it should dump core if it doesn't already, so
with or without your patch everyone still has to decide whether or not
they want to allow core-dumps from Nagios before they start it. Your
patch makes it possible to set "daemon_dumps_core=1" in nagios.cfg
and then forget about it *IF* you've also made sure nagios' $HOME is
writable by the nagios user.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4