Re: utrace vs. ptrace

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* Linus Torvalds <[email protected]> wrote:

> > Mostly because I fear it would become another udev like disaster, 
> > requiring user space updates regularly, and core dumps are a fairly 
> > critical debugging feature that I wouldn't like to become 
> > unreliable.
> 
> Doing core-dumping in user space would be insane. It doesn't give 
> _any_ advantages, only disadvantages.

well, it was just a quick idea of mine that looked nice in the following 
sense: it would reuse (and thus test) debugging infrastructure that we 
want to and have to provide anyway. (if gdb is attached to a task that 
crashes then it is in a position to get all the information to create a 
coredump)

it wouldnt be fundamentally easier - but lots of policy stuff could be 
done there which we would otherwise reject to add to the kernel. Like 
more complex rules for "do we want to dump core for this particular 
app".

> Why do people keep thinking that doing things in user space is "safer" 
> and "easier". It's quite often not. For example, all the "fragile" 
> stuff would be true for a user-space dumper (don't tell me it's safer 
> - it would obviously have to run with elevated capabilities), and a 
> lot of it would be a hell of a lot harder.

It would have to run with privileges enough to 1) get the process/thread 
state [but not set it] 2) to write the resulting coredump to some file.

You are right that if we make it privileged enough to implement #2 as 
"put the coredump into the apps cwd, with the user's identity", that 
would expose this privileged code to similar file-permission security 
problems as the in-kernel dumper.

But if #2 is implemented in a more restricted way (like coredumps only 
go to a central directory not accessible to users, are size-limited, are 
fingerprinted for their backtraces to remove duplicates, are matched to 
an online repository of already reported bugs, etc.) then it could be 
more secure than the in-kernel dumper - just because it would do less. 
(and it would also do more, in a sense)

but ... i agree that it's not an "obvious win", and that it can create a 
less secure solution than the in-kernel dumper. Although the in-kernel 
dumper doesnt have a stellar security track record, so the quality bar 
isnt particularly high :-/

	Ingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux