diff options
author | Jenkins <jenkins@review.openstack.org> | 2017-04-05 14:23:49 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2017-04-05 14:23:49 +0000 |
commit | 963d4a6954ea6b5c25706b082748550d3f647140 (patch) | |
tree | 976c0fd4821b8171771e99615d875f6d58031c15 | |
parent | 29faa38ddca3a91d6944bdda8daceda4dde2b128 (diff) | |
parent | 4483378fec94ab3af9ad12e66bc6bc8697a673c6 (diff) |
Merge "Disable core dump for setuid programs"
-rw-r--r-- | puppet/services/kernel.yaml | 2 | ||||
-rw-r--r-- | releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml | 12 |
2 files changed, 14 insertions, 0 deletions
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index ee4c771f..bc4380a5 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -58,5 +58,7 @@ outputs: value: {get_param: KernelPidMax} kernel.dmesg_restrict: value: 1 + fs.suid_dumpable: + value: 0 step_config: | include ::tripleo::profile::base::kernel diff --git a/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml new file mode 100644 index 00000000..3168a549 --- /dev/null +++ b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + The fs.suid_dumpable kernel parameter is now explicitly set to 0 to prevent + exposing sensitive data through core dumps of processes with elevated + permissions. Deployments that set or depend on non-zero values for + fs.suid_dumpable may be affected by upgrading. +security: + - | + Explicitly disable core dump for setuid programs by setting + fs.suid_dumpable = 0, this will descrease the risk of unauthorized access + of core dump file generated by setuid program. |