[Linux-ha-dev] dumping core
Alan Robertson
alanr at unix.sh
Thu Oct 14 20:41:39 MDT 2004
As has been pointed out before, heartbeat dumps core reluctantly and in
some cases with great difficulty.
I haven't fixed this yet, because there are security implications
associated with this that I hadn't completely worked out. Tonight I
decided that most of my concerns were RedHerrings.
Here are some of the relevant facts and issues:
We run as few processes as root as possible.
In 2.x that will be exactly 2 processes.
Things that talk to the network often have to start up as root
but then switch to "nobody" so they have minimal
permissions should they be compromised.
All core files are by default named "core" and they go into
the current directory of the dumping process
Although core files are written by the kernel, they are written
with the euid and egid and umask of the process had as
it terminated (which means 'nobody' for those
mentioned above)
There are no Linux or UNIX standards where processes should
dump their dumps (but somewhere on /var makes sense
to me)
It is necessary to have a 7xx mode directory writable by nobody
if we want to capture our 'nobody' core dumps.
It would be nice to capture every possible core dump - but I'm not
fanatically worried about that - because core dumps are (and should be!)
rare. From this perspective, I thought LMB's proposal was overkill and
messy (perhaps a bit hard to keep cleaned up too).
So, I have what I think is a minimal solution which deals with the security
issues as best as they can be, while allowing each process to dump its dump
as needed...
The core dump directory hierarchy is rooted at /var/run/heartbeat/cores,
and it is owned by root and mode 755 (or 511 or whatever suits you)
It would be structured like this:
/var/run/heartbeat/cores 755 owned by root
/var/run/heartbeat/cores/hacluster 700 owned by hacluster
/var/run/heartbeat/cores/root 700 owned by root
/var/run/heartbeat/cores/nobody 700 owned by nobody
This would permit us to write one core process per user id we run as. I
think this is enough, and it keeps us from filling up the filesystem if
something somehow goes nuts and our wonderful restart capability keeps
restarting us again and again and again ;-)
--
Alan Robertson <alanr at unix.sh>
"Openness is the foundation and preservative of friendship... Let me claim
from you at all times your undisguised opinions." - William Wilberforce
More information about the Linux-HA-Dev
mailing list