Consider saving coredumps to a sticky directory
Originally created by @cypherpunks on #12437 (Redmine)
Currently, Tails does not save coredumps due to PAM restricting resource
limits (RLIMIT_CORE
is set to 0). This means that both benign bugs,
and exploit attempts that trigger a variety of failures will be very
difficult to analyze. Segfaults and assertions for example are often
triggered upon failed exploit attempts and exploits which require
multiple tries to succeed. I propose Tails enable coredumps and log them
to a unified directory to make it easier for the more tech-savvy
individuals to limit the lifetime of exploits used against Tails users.
The simplest way to do that on a regular Linux system would be through these commands:
# Enable coredumps and limit their maximum size using PAM
echo "* - core 32768" >> /etc/security/limits.conf
# Create a sticky directory to store the core files
mkdir -m 1777 /var/coredumps
# Don't let the coredump directory take up too much space
echo "tmpfs /var/coredumps tmpfs nodev,nosuid,noexec,size=256M 0 0" >> /etc/fstab
# Save all coredumps to the new directory, and give them unique names (example format)
echo "kernel.core_pattern = /var/coredumps/%e.%P" >> /etc/sysctl.d/coredumps.conf
# Dumping setuid binaries is safe, because the directory is sticky
echo "fs.suid_dumpable = 1" >> /etc/sysctl.d/coredumps.conf
# A reboot is the easiest way for all of this to take effect
shutdown -r now
Note that this can also be accomplished with systemd-coredump
(not
installed by default on Tails), which configures the
kernel.core_pattern
sysctl to pipe all coredumps to that program,
which them processes them and logs them to systemd’s ugly binary
journal. I’m not suggesting it primarily because I know nothing about
it.
Please consider enabling coredumps on Tails. It will help dissuade attackers from attempting to use valuable exploits against Tails users, and will make attacks in general easier to catch and analyze.