Skip to content

Commit

Permalink
coredump: set ProtectHome to read-only
Browse files Browse the repository at this point in the history 
In 924453c
ProtectHome was set to true for systemd-coredump in order to reduce risk, since an attacker could craft a malicious binary in order to compromise systemd-coredump.
At that point the object analysis was done in the main systemd-coredump process.
Because of this systemd-coredump is unable to product symbolicated call-stacks for binaries running under /home ("n/a" is shown instead of function names).

However, later in 61aea45 systemd-coredump was changed to do the object analysis in a forked process,
covering those security concerns.

Let's set ProtectHome to read-only so that systemd-coredump produces symbolicated call-stacks for processes running under /home.
  • Loading branch information
@Ecordonnier @poettering
Ecordonnier authored and poettering committed Sep 6, 2024
1 parent b9ea646 commit 4ac1755
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion units/systemd-coredump@.service.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHome=read-only
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
Expand Down

0 comments on commit 4ac1755

Please sign in to comment.