All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
To: Jonny Grant <jg@jguk.org>, Jakub Wilk <jwilk@jwilk.net>
Cc: mtk.manpages@gmail.com, linux-man <linux-man@vger.kernel.org>
Subject: Re: core(5)
Date: Mon, 8 Jun 2020 18:18:51 +0200	[thread overview]
Message-ID: <598453e7-9bec-c6bb-11bd-ca19ab90f807@gmail.com> (raw)
In-Reply-To: <a504a2ab-32d2-ad39-295f-47a1d5de2f34@jguk.org>

Hi Jonny,

On 6/6/20 11:16 PM, Jonny Grant wrote:
> 
> 
> On 06/06/2020 20:39, Michael Kerrisk (man-pages) wrote:
>> On Sat, 6 Jun 2020 at 20:32, Jakub Wilk <jwilk@jwilk.net> wrote:
>>>
>>> * Jonny Grant <jg@jguk.org>, 2020-06-06, 16:45:
>>>>>> 3) Could i ask to clarify my understanding. For this "The binary
>>>>>> being executed by the process does not have read permission enabled."
>>>>>> -- is this when the binary permissions are changed after it starts
>>>>>> running?
>>>>> No, AFAICS the permission check is done when the process starts.
>>>> How can the process start if the binary file doesn't have read
>>>> permissions enabled?
>>>
>>> It's a bit weird, but the kernel doesn't mind:
>>>
>>>     $ cp /bin/ls .
>>>     $ chmod a-r ls
>>>     $ ./ls -l ls
>>>     --wx--x--x 1 jwilk jwilk 138856 Jun  6 20:22 ls
>>
>> And from core(5):
>>
>>         There are various circumstances in which a core dump file  is  not
>>         produced:
>>         ...
>>         *  The binary being executed by the process  does  not  have  read
>>            permission enabled.
>>
>> So, the binary can be executed, but not read, and will not do a core
>> dump (since that might be readable).
>>
>> Thanks,
>>
>> Michael
> 
> Hi Michael, Jakub,
> 
> It sounds like a good security feature. Could that be documented on the man page as the reason?
> 
> ie something like this:
> 
> *  The binary being executed by the process  does  not  have  read 
> permission enabled, therefore a core file would reveal information in
> a readable file, so it cannot be dumped.

Thanks for the suggested wording. I applied the patch below.

Thanks,

Michael

diff --git a/man5/core.5 b/man5/core.5
index 456366ea6..0d7b7b617 100644
--- a/man5/core.5
+++ b/man5/core.5
@@ -90,6 +90,10 @@ in
 .IP *
 The binary being executed by the process does not have read
 permission enabled.
+(This is a security measure to
+ensure that an executable whose contents are not readable
+does not produce a\(empossibly readable\(emcore dump containing
+an image of the executable.)
 .IP *
 The process is executing a set-user-ID (set-group-ID) program
 that is owned by a user (group) other than the real user (group)
-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

  reply	other threads:[~2020-06-08 16:18 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-06 13:18 core(5) Jonny Grant
2020-06-06 14:50 ` core(5) Jakub Wilk
2020-06-06 15:45   ` core(5) Jonny Grant
2020-06-06 18:32     ` core(5) Jakub Wilk
2020-06-06 19:39       ` core(5) Michael Kerrisk (man-pages)
2020-06-06 21:16         ` core(5) Jonny Grant
2020-06-08 16:18           ` Michael Kerrisk (man-pages) [this message]
2020-06-08 16:06 ` core(5) Michael Kerrisk (man-pages)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=598453e7-9bec-c6bb-11bd-ca19ab90f807@gmail.com \
    --to=mtk.manpages@gmail.com \
    --cc=jg@jguk.org \
    --cc=jwilk@jwilk.net \
    --cc=linux-man@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.