On Fri, Feb 12, 2016 at 12:40:37PM +0000, Tom Hughes wrote:
On 12/02/16 12:24, Jakub Filak wrote:
>I believe that maintainers of packages like chrony will be really delighted
>with this change, while will not weaken security of Fedora for regular users.
What part of chrony is setuid? I don't see an suid bit on any of it's
executables... Nor any file capabilities which is the other thing the manual
page says triggers this.
The chrony files don't have any set*id bits set, but the chronyd
process, like many other daemons, calls setuid()/setgid() in order to
drop root privileges. The proc(5) man page lists that as a reason
for not producing a coredump.
I was wondering what security implications would setting suid_dumpable
to 2 by default had and why it needs to be restricted to development.
--
Miroslav Lichvar