core.5, proc.5: Minor edits to Kees Cook's suid_dumpable patch

[thirdparty/man-pages.git] / man5 / core.5

.\" Copyright (c) 2006, 2008 by Michael Kerrisk <mtk.manpages@gmail.com>
.\"
.\" Permission is granted to make and distribute verbatim copies of this
.\" manual provided the copyright notice and this permission notice are
.\" preserved on all copies.
.\"
.\" Permission is granted to copy and distribute modified versions of this
.\" manual under the conditions for verbatim copying, provided that the
.\" entire resulting derived work is distributed under the terms of a
.\" permission notice identical to this one.
.\"
.\" Since the Linux kernel and libraries are constantly changing, this
.\" manual page may be incorrect or out-of-date.  The author(s) assume no
.\" responsibility for errors or omissions, or for damages resulting from
.\" the use of the information contained herein.  The author(s) may not
.\" have taken the same level of care in the production of this manual,
.\" which is licensed free of charge, as they might when working
.\" professionally.
.\"
.\" Formatted or processed versions of this manual, if unaccompanied by
.\" the source, must acknowledge the copyright and authors of this work.
.\"
.TH CORE 5 2012-07-16 "Linux" "Linux Programmer's Manual"
.SH NAME
core \- core dump file
.SH DESCRIPTION
The default action of certain signals is to cause a process to terminate
and produce a
.IR "core dump file" ,
a disk file containing an image of the process's memory at
the time of termination.
This image can be used in a debugger (e.g.,
.BR gdb (1))
to inspect the state of the program at the time that it terminated.
A list of the signals which cause a process to dump core can be found in
.BR signal (7).

A process can set its soft
.B RLIMIT_CORE
resource limit to place an upper limit on the size of the core dump file
that will be produced if it receives a "core dump" signal; see
.BR getrlimit (2)
for details.

There are various circumstances in which a core dump file is
not produced:
.IP * 3
The process does not have permission to write the core file.
(By default the core file is called
.IR core ,
and is created in the current working directory.
See below for details on naming.)
Writing the core file will fail if the directory in which
it is to be created is nonwritable,
or if a file with the same name exists and
is not writable
or is not a regular file
(e.g., it is a directory or a symbolic link).
.IP *
A (writable, regular) file with the same name as would be used for the
core dump already exists, but there is more than one hard link to that
file.
.IP *
The file system where the core dump file would be created is full;
or has run out of inodes; or is mounted read-only;
or the user has reached their quota for the file system.
.IP *
The directory in which the core dump file is to be created does
not exist.
.IP *
The
.B RLIMIT_CORE
(core file size) or
.B RLIMIT_FSIZE
(file size) resource limits for the process are set to zero; see
.BR getrlimit (2)
and the documentation of the shell's
.I ulimit
command
.RI ( limit
in
.BR csh (1)).
.IP *
The binary being executed by the process does not have read
permission enabled.
.IP *
The process is executing a set-user-ID (set-group-ID) program
that is owned by a user (group) other than the real user (group)
ID of the process.
(However, see the description of the
.BR prctl (2)
.B PR_SET_DUMPABLE
operation, and the description of the
.I /proc/sys/fs/suid_dumpable
.\" FIXME . Perhaps relocate discussion of /proc/sys/fs/suid_dumpable
.\" and PR_SET_DUMPABLE to this page?
file in
.BR proc (5).)
.PP
In addition,
a core dump may exclude part of the address space of the process if the
.BR madvise (2)
.B MADV_DONTDUMP
flag was employed.
.SS Naming of core dump files
By default, a core dump file is named
.IR core ,
but the
.I /proc/sys/kernel/core_pattern
file (since Linux 2.6 and 2.4.21)
can be set to define a template that is used to name core dump files.
The template can contain % specifiers which are substituted
by the following values when a core file is created:
.PP
.RS 4
.PD 0
.TP 4
%%
a single % character
.TP
%p
PID of dumped process
.TP
%u
(numeric) real UID of dumped process
.TP
%g
(numeric) real GID of dumped process
.TP
%s
number of signal causing dump
.TP
%t
time of dump, expressed as seconds since the
Epoch, 1970-01-01 00:00:00 +0000 (UTC)
.TP
%h
hostname (same as \fInodename\fP returned by \fBuname\fP(2))
.TP
%e
executable filename (without path prefix)
.TP
%E
pathname of executable,
with slashes (\(aq/\(aq) replaced by exclamation marks (\(aq!\(aq).
.TP
%c
core file size soft resource limit of crashing process (since Linux 2.6.24)
.PD
.RE
.PP
A single % at the end of the template is dropped from the
core filename, as is the combination of a % followed by any
character other than those listed above.
All other characters in the template become a literal
part of the core filename.
The template may include \(aq/\(aq characters, which are interpreted
as delimiters for directory names.
The maximum size of the resulting core filename is 128 bytes (64 bytes
in kernels before 2.6.19).
The default value in this file is "core".
For backward compatibility, if
.I /proc/sys/kernel/core_pattern
does not include "%p" and
.I /proc/sys/kernel/core_uses_pid
(see below)
is nonzero, then .PID will be appended to the core filename.

Since version 2.4, Linux has also provided
a more primitive method of controlling
the name of the core dump file.
If the
.I /proc/sys/kernel/core_uses_pid
file contains the value 0, then a core dump file is simply named
.IR core .
If this file contains a nonzero value, then the core dump file includes
the process ID in a name of the form
.IR core.PID .

Since Linux 3.6,
.\" 9520628e8ceb69fa9a4aee6b57f22675d9e1b709
if
.I /proc/sys/fs/suid_dumpable
is set to 2 ("suidsafe"), the pattern must be either an absolute pathname
(starting with a leading \(aq/\(aq character) or a pipe, as defined below.

.SS Piping core dumps to a program
Since kernel 2.6.19, Linux supports an alternate syntax for the
.I /proc/sys/kernel/core_pattern
file.
If the first character of this file is a pipe symbol (\fB|\fP),
then the remainder of the line is interpreted as a program to be
executed.
Instead of being written to a disk file, the core dump is given as
standard input to the program.
Note the following points:
.IP * 3
The program must be specified using an absolute pathname (or a
pathname relative to the root directory, \fI/\fP),
and must immediately follow the '|' character.
.IP *
The process created to run the program runs as user and group
.IR root .
.IP *
Command-line arguments can be supplied to the
program (since kernel 2.6.24),
delimited by white space (up to a total line length of 128 bytes).
.IP *
The command-line arguments can include any of
the % specifiers listed above.
For example, to pass the PID of the process that is being dumped, specify
.I %p
in an argument.
.SS Controlling which mappings are written to the core dump
Since kernel 2.6.23, the Linux-specific
.IR /proc/PID/coredump_filter
file can be used to control which memory segments are written to the
core dump file in the event that a core dump is performed for the
process with the corresponding process ID.

The value in the file is a bit mask of memory mapping types (see
.BR mmap (2)).
If a bit is set in the mask, then memory mappings of the
corresponding type are dumped; otherwise they are not dumped.
The bits in this file have the following meanings:
.PP
.PD 0
.RS 4
.TP
bit 0
Dump anonymous private mappings.
.TP
bit 1
Dump anonymous shared mappings.
.TP
bit 2
Dump file-backed private mappings.
.TP
bit 3
Dump file-backed shared mappings.
.\" file-backed shared mappings of course also update the underlying
.\" mapped file.
.TP
bit 4 (since Linux 2.6.24)
Dump ELF headers.
.TP
bit 5 (since Linux 2.6.28)
Dump private huge pages.
.TP
bit 6 (since Linux 2.6.28)
Dump shared huge pages.
.RE
.PD
.PP
By default, the following bits are set: 0, 1, 4 (if the
.B CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS
kernel configuration option is enabled), and 5.
The value of this file is displayed in hexadecimal.
(The default value is thus displayed as 33.)

Memory-mapped I/O pages such as frame buffer are never dumped, and
virtual DSO pages are always dumped, regardless of the
.I coredump_filter
value.

A child process created via
.BR fork (2)
inherits its parent's
.I coredump_filter
value;
the
.I coredump_filter
value is preserved across an
.BR execve (2).

It can be useful to set
.I coredump_filter
in the parent shell before running a program, for example:

.in +4n
.nf
.RB "$" " echo 0x7 > /proc/self/coredump_filter"
.RB "$" " ./some_program"
.fi
.in
.PP
This file is only provided if the kernel was built with the
.B CONFIG_ELF_CORE
configuration option.
.SH NOTES
The
.BR gdb (1)
.I gcore
command can be used to obtain a core dump of a running process.

If a multithreaded process (or, more precisely, a process that
shares its memory with another process by being created with the
.B CLONE_VM
flag of
.BR clone (2))
dumps core, then the process ID is always appended to the core filename,
unless the process ID was already included elsewhere in the
filename via a %p specification in
.IR /proc/sys/kernel/core_pattern .
(This is primarily useful when employing the LinuxThreads implementation,
where each thread of a process has a different PID.)
.\" Always including the PID in the name of the core file made
.\" sense for LinuxThreads, where each thread had a unique PID,
.\" but doesn't seem to serve any purpose with NPTL, where all the
.\" threads in a process share the same PID (as POSIX.1 requires).
.\" Probably the behavior is maintained so that applications using
.\" LinuxThreads continue appending the PID (the kernel has no easy
.\" way of telling which threading implementation the user-space
.\" application is using). -- mtk, April 2006
.SH EXAMPLE
The program below can be used to demonstrate the use of the
pipe syntax in the
.I /proc/sys/kernel/core_pattern
file.
The following shell session demonstrates the use of this program
(compiled to create an executable named
.IR core_pattern_pipe_test ):
.PP
.in +4n
.nf
.RB "$" " cc \-o core_pattern_pipe_test core_pattern_pipe_test.c"
.RB "$" " su"
Password:
.RB "#" " echo \(dq|$PWD/core_pattern_pipe_test %p \
UID=%u GID=%g sig=%s\(dq > \e"
.B "    /proc/sys/kernel/core_pattern"
.RB "#" " exit"
.RB "$" " sleep 100"
.BR "^\e" "                     # type control-backslash"
Quit (core dumped)
.RB "$" " cat core.info"
argc=5
argc[0]=</home/mtk/core_pattern_pipe_test>
argc[1]=<20575>
argc[2]=<UID=1000>
argc[3]=<GID=100>
argc[4]=<sig=3>
Total bytes in core dump: 282624
.fi
.in
.SS Program source
\&
.nf
/* core_pattern_pipe_test.c */

#define _GNU_SOURCE
#include <sys/stat.h>
#include <fcntl.h>
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUF_SIZE 1024

int
main(int argc, char *argv[])
{
    int tot, j;
    ssize_t nread;
    char buf[BUF_SIZE];
    FILE *fp;
    char cwd[PATH_MAX];

    /* Change our current working directory to that of the
       crashing process */

    snprintf(cwd, PATH_MAX, "/proc/%s/cwd", argv[1]);
    chdir(cwd);

    /* Write output to file "core.info" in that directory */

    fp = fopen("core.info", "w+");
    if (fp == NULL)
        exit(EXIT_FAILURE);

    /* Display command\-line arguments given to core_pattern
       pipe program */

    fprintf(fp, "argc=%d\\n", argc);
    for (j = 0; j < argc; j++)
        fprintf(fp, "argc[%d]=<%s>\\n", j, argv[j]);

    /* Count bytes in standard input (the core dump) */

    tot = 0;
    while ((nread = read(STDIN_FILENO, buf, BUF_SIZE)) > 0)
        tot += nread;
    fprintf(fp, "Total bytes in core dump: %d\\n", tot);

    exit(EXIT_SUCCESS);
}
.fi
.SH SEE ALSO
.BR bash (1),
.BR gdb (1),
.BR getrlimit (2),
.BR mmap (2),
.BR prctl (2),
.BR sigaction (2),
.BR elf (5),
.BR proc (5),
.BR pthreads (7),
.BR signal (7)