Automatic backtrace [Was: Re: NetAPP/Samba 3.0/plugs]

Martin Pool mbp at samba.org
Wed Mar 13 16:51:05 GMT 2002


On 13 Mar 2002, Scott Gifford <sgifford at suspectclass.com> wrote:
> Andrew Bartlett <abartlet at pcug.org.au> writes:
> > Scott Gifford wrote:
> > > Andrew Bartlett <abartlet at pcug.org.au> writes:
> > > > Scott Gifford wrote:

> > > > > Perhaps I'm missing something obvious, but why not just let Samba dump
> > > > > core?...It's straightforward to provide a backtrace from a core file.
> > > >
> > > > Where?  Under what uid?  Following what symlinks?
> > > 
> > > All of this is handled by the OS, and core is dumped in the current
> > > working directory.  I don't know how Samba decides what directories to
> > > chdir() into, but if it wanders around a bit, something like
> > > chdir("/some/known/directory"); abort(); in a signal handler will make
> > > sure that the corefile ends up in a sane place.
> > 
> > But as what user?  And it must work perfectly across 30 different
> > operating systems.  A sig11 that has us compleatly hosed must not be
> > able to affect where/how we dump core. 
> 
> A setuid() could select which user, and:
> 
>     setuid(0);
>     chdir("/static/string");
>     abort(); 
> 
> is pretty standard stuff, and pretty likely (even if not guaranteed)
> to work in a signal handler.  But at any rate...

Apache does this, and it's configurable by the CoreDumpDirectory
configuration option.  Their situation is slightly different, because
after startup the server runs only as a single uid.

  /* handle all varieties of core dumping signals */
  static void sig_coredump(int sig)
  {
      chdir(ap_coredump_dir);
      signal(sig, SIG_DFL);
  #if !defined(WIN32) && !defined(NETWARE)
      kill(getpid(), sig);
  #else
      raise(sig);
  #endif
      /* At this point we've got sig blocked, because we're still inside
       * the signal handler.  When we leave the signal handler it will
       * be unblocked, and we'll take the signal... and coredump or whatever
       * is appropriate for this particular Unix.  In addition the parent
       * will see the real signal we received -- whereas if we called
       * abort() here, the parent would only see SIGABRT.
       */
  }
  
To guard against revealing passwords, you could also stat(".") after
the chdir, and check uid==0, mode==0700.

Possibly there is some security reason why it's not appropriate, but i
can't see it.

At the risk of being too clever, we could also mkdir(getpid()), to
capture multiple core files on platforms that do not have a mechanism
for setting the corefile name.

> > In any case, the user who understands what a 'core' does is not the
> > target audience.  The target audience is the user who gets a Panic and
> > doesn't know much more than how to send us a logfile.  

I've seen some situations where even though the user could not use a
corefile themselves they would know what to do with one.  It's also
not that hard for people to learn how to e.g. get a backtrace out --
you can see plenty of examples of this on the debian or gnome bug
databases.

-- 
Martin 




More information about the samba-technical mailing list