Commit Graph

30 Commits

Author SHA1 Message Date
Kevin Darbyshire-Bryant
7765e442d0 basefiles: allow suid coredumps
Set sysctl fs.suid_dumpable = 2

This allows suid processes to dump core according to kernel.core_pattern
setting.  LEDE typically uses suid to drop root priviledge rather than
gain it but without this setting any suid process would be unable to
produce coredumps (e.g. dnsmasq)

Processes still need to set a non zero core file process limit ('ulimit
-c unlimited' or if procd used 'procd_set_param limits
core="unlimited"') in order to produce a core.  This setting removes an
obscure stumbling block along the way.

>From https://www.kernel.org/doc/Documentation/sysctl/fs.txt

suid_dumpable:

This value can be used to query and set the core dump mode for setuid
or otherwise protected/tainted binaries. The modes are

0 - (default) - traditional behaviour. Any process which has changed
	privilege levels or is execute only will not be dumped.
1 - (debug) - all processes dump core when possible. The core dump is
	owned by the current user and no security is applied. This is
	intended for system debugging situations only. Ptrace is unchecked.
	This is insecure as it allows regular users to examine the memory
	contents of privileged processes.
2 - (suidsafe) - any binary which normally would not be dumped is dumped
	anyway, but only if the "core_pattern" kernel sysctl is set to
	either a pipe handler or a fully qualified path. (For more details
	on this limitation, see CVE-2006-2451.) This mode is appropriate
	when administrators are attempting to debug problems in a normal
	environment, and either have a core dump pipe handler that knows
	to treat privileged core dumps with care, or specific directory
	defined for catching core dumps. If a core dump happens without
	a pipe handler or fully qualifid path, a message will be emitted
	to syslog warning about the lack of a correct setting.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2017-09-12 22:18:45 +02:00
Steven Barth
468c1fb320 base-files: revert to default ECN settings
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 47160
2015-10-07 21:11:24 +00:00
Felix Fietkau
796a2d032b base-files: fix typo in core dump pattern sysctl entry (fixes #20489)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 46890
2015-09-12 08:57:59 +00:00
Felix Fietkau
ced2b641e2 base-files: set kernel.core_pattern in sysctl.conf
Move the pattern setting from netifd's service script to
/etc/sysctl.conf.  Put the timestamp component '%t' just after
executable name '%e' for more natural order from output of ls command.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

SVN-Revision: 46867
2015-09-11 16:35:17 +00:00
Felix Fietkau
f30358d41a kernel: remove the netfilter optimization that skips the filter table, it has caused too many issues
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 44873
2015-03-17 17:14:48 +00:00
Steven Barth
929e73c7b6 base-files: increase igmp_max_memberships to improve multicast-proxy handling
SVN-Revision: 42227
2014-08-20 10:18:40 +00:00
Felix Fietkau
517ad9ff0d base-files: enable option to skip the netfilter "filter" table for established connection packets by default
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 42048
2014-08-07 19:30:36 +00:00
Felix Fietkau
59cfa05bf3 base-files: adjust the default netfilter tcp established connection timeout as per RFC 5382 (#17098)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 41599
2014-07-13 10:24:34 +00:00
Steven Barth
e2f33bedfa base-files: set default IPv6 forwarding value to 1
SVN-Revision: 36918
2013-06-11 13:30:18 +00:00
Steven Barth
ea7c9c85a8 base-files: Fix race-conditions with IPv6 sysctls
SVN-Revision: 35368
2013-01-29 10:13:33 +00:00
Steven Barth
5f735b291f base-files: remove IPv6-forwarding setting for all interfaces
SVN-Revision: 35344
2013-01-28 13:53:38 +00:00
Steven Barth
e0a338c969 base-files: Set default value for IPv6 forwarding
SVN-Revision: 35299
2013-01-22 16:47:09 +00:00
Steven Barth
847cd984b9 base-files: add support for ipv6-prefixes in connection with netifd
SVN-Revision: 35168
2013-01-15 13:07:51 +00:00
Steven Barth
3b0e77ee6b Remove default sysctl-entry for IPv6 here (races)
SVN-Revision: 34417
2012-11-29 20:14:04 +00:00
Felix Fietkau
c7c649126f base-files: remove obsolete entries from sysctl.conf (#12236)
SVN-Revision: 33532
2012-09-24 15:24:01 +00:00
Felix Fietkau
6c2a295245 base-files: enable TCP timestamps, enable sack/dsack. (patch by Dave Täht)
A year of testing in the cerowrt project shows not using timestamps
to be a very bad idea in nearly any TCP at speeds above a few Mbit.

Lastly sack/dsack help on recovery from larger amounts of packet
loss.

SVN-Revision: 32513
2012-06-27 22:32:44 +00:00
Jo-Philipp Wich
086cae30ce base-files: enable conntrack accounting in sysctl. It used to be a compile time option which got deprecated
SVN-Revision: 30805
2012-03-04 14:53:17 +00:00
Felix Fietkau
dea36724a4 base-files: remove an old network tunable tweak which is messing up network stack performance on modern systems
SVN-Revision: 28126
2011-08-29 23:34:11 +00:00
Jo-Philipp Wich
629e73938e base-files: update sysctl.conf for modern kernels
SVN-Revision: 26204
2011-03-17 15:35:41 +00:00
Jo-Philipp Wich
ce5d644ac1 base-files: enable IPv6 forwarding by default since the default firewall supports ip6tables now
SVN-Revision: 21766
2010-06-12 16:59:12 +00:00
Jo-Philipp Wich
bf9917d651 base-files: disable bridge firewalling by default
SVN-Revision: 19214
2010-01-18 05:38:44 +00:00
Felix Fietkau
038807906f change sysctl.conf to disable tcp ecn by default (based on discussion with marek who stumbled upon this, it creates hard-to-debug connectivity issues with providers/servers that still use buggy equipment)
SVN-Revision: 16499
2009-06-17 21:57:07 +00:00
Felix Fietkau
cf152cff39 tweak some sysctl values for better performance
SVN-Revision: 15129
2009-04-07 02:51:04 +00:00
Florian Fainelli
b065bc5310 increase default size of the connection tracking table, thanks Marc
SVN-Revision: 14283
2009-01-30 14:13:09 +00:00
Nicolas Thill
257ee32b7d disable ipv6 systcl call, as ipv6 is not enabled by default
SVN-Revision: 12351
2008-08-20 15:29:11 +00:00
Felix Fietkau
f27fd2ecc3 enable TCP ECN by default (see #3001 for more information)
SVN-Revision: 12334
2008-08-17 13:01:59 +00:00
Florian Fainelli
b8964159ff Enable IPv6 forwarding by default (#2527)
SVN-Revision: 9435
2007-10-24 18:44:07 +00:00
Felix Fietkau
9bf6078866 unify sysctl.conf, add extra netfilter options (#1996)
SVN-Revision: 7784
2007-06-30 02:59:09 +00:00
Felix Fietkau
383a21f3c5 use separate sysctl.conf files for 2.4 and 2.6 - fixes some boot message spam
SVN-Revision: 7043
2007-04-24 12:05:52 +00:00
Felix Fietkau
59a06c71cb rename default/ to files/
SVN-Revision: 5622
2006-11-22 23:30:57 +00:00