Project

General

Profile

Actions

Feature #3135

closed

server.core-files support on Solaris based system

Added by devnexen 5 months ago. Updated 5 months ago.

Status:
Fixed
Priority:
Normal
Category:
core
Target version:
ASK QUESTIONS IN Forums:
No

Description

- based on personal/gstrauss/master branch.
- basically making the current process traceable via setpflags call and __PROC_PROTECT.


Files

Actions #1

Updated by devnexen 5 months ago

ought to be my last solaris patch.

Actions #2

Updated by gstrauss 5 months ago

  • Category set to core

What is __PROC_PROTECT? It is not mentioned in any of
https://www.illumos.org/man/5/privileges
https://www.illumos.org/man/2/setpflags
https://docs.oracle.com/cd/E88353_01/html/E37841/setpflags-2.html

lighttpd does not currently directly modify Linux "capabilities". In most cases, that could be done by the calling process. Should that not also apply similarly to illumos and setpflags (and coreadm)?

Actions #3

Updated by devnexen 5 months ago

Indeed it is not documented it is a known feature tough when you get to do solaris native programming, one of the few visible examples you can find is openssh (doing the opposite of course)

https://github.com/openssh/openssh-portable/blob/master/platform-tracing.c#L55

Actions #4

Updated by gstrauss 5 months ago

Thanks for the pointer to an example. Should this patch check the return value from setpflags()? Should lighttpd issue trace if setpflags() fails? Should lighttpd fail and exit? (probably not) Should lighttpd use getpflags() to see if this needs to be set? How should lighttpd handle EPERM from setpflags() or will that not occur with __PROC_PROTECT?

Actions #5

Updated by devnexen 5 months ago

should be fine. In openssh case it s important they check since they want to make sure it can't be traced while here it s more like "icing on the cake".

Actions #6

Updated by devnexen 5 months ago

gstrauss wrote in #note-4:

Thanks for the pointer to an example. Should this patch check the return value from setpflags()? Should lighttpd issue trace if setpflags() fails? Should lighttpd fail and exit? (probably not) Should lighttpd use getpflags() to see if this needs to be set? How should lighttpd handle EPERM from setpflags() or will that not occur with __PROC_PROTECT?

at worse a log entry warning about the failure should be good enough, indeed stopping lighttpd "just" because of this sounds harsh. but that s just a suggestion.

Actions #7

Updated by devnexen 5 months ago

FYI with this basic hello world

#include <priv.h>
#include <stdio.h>

int main(void)
{
        printf("1st attempt %d\n", setpflags(__PROC_PROTECT, 0));
        printf("2nd attempt %d\n", setpflags(__PROC_PROTECT, 0));
        return 0;
}
dcarlier@openindianavbox:/tmp$ gcc a.c
dcarlier@openindianavbox:/tmp$ ./a.out 
1st attempt 0
2nd attempt 0

don t think we need getpflags to check.

Actions #8

Updated by gstrauss 5 months ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.xx to 1.4.64

Probably overthinking it. If it helps, great. If it does not, then things are the same as they were before.

Actions #9

Updated by devnexen 5 months ago

  • Status changed from Patch Pending to Fixed
Actions #10

Updated by devnexen 5 months ago

your last changes work for me.

Actions

Also available in: Atom