aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2017-04-05 14:23:49 +0000
committerGerrit Code Review <review@openstack.org>2017-04-05 14:23:49 +0000
commit963d4a6954ea6b5c25706b082748550d3f647140 (patch)
tree976c0fd4821b8171771e99615d875f6d58031c15
parent29faa38ddca3a91d6944bdda8daceda4dde2b128 (diff)
parent4483378fec94ab3af9ad12e66bc6bc8697a673c6 (diff)
Merge "Disable core dump for setuid programs"
-rw-r--r--puppet/services/kernel.yaml2
-rw-r--r--releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml12
2 files changed, 14 insertions, 0 deletions
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index ee4c771f..bc4380a5 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -58,5 +58,7 @@ outputs:
value: {get_param: KernelPidMax}
kernel.dmesg_restrict:
value: 1
+ fs.suid_dumpable:
+ value: 0
step_config: |
include ::tripleo::profile::base::kernel
diff --git a/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml
new file mode 100644
index 00000000..3168a549
--- /dev/null
+++ b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml
@@ -0,0 +1,12 @@
+---
+upgrade:
+ - |
+ The fs.suid_dumpable kernel parameter is now explicitly set to 0 to prevent
+ exposing sensitive data through core dumps of processes with elevated
+ permissions. Deployments that set or depend on non-zero values for
+ fs.suid_dumpable may be affected by upgrading.
+security:
+ - |
+ Explicitly disable core dump for setuid programs by setting
+ fs.suid_dumpable = 0, this will descrease the risk of unauthorized access
+ of core dump file generated by setuid program.