Core-dumping Setuid Processes on Solaris

Solaris by default (at least in Solaris 8) does not allow setuid processes to core dump for obvious security reasons. Sometimes, though, you have to debug a setuid process and really need a core file at the point that it segfaulted or otherwise exploded. The following technique is based on a post by Casper Dik in comp.unix.solaris.

If you know how the process will terminate (with a SEGV or a bus error, for instance), you can try this:

    truss -t \!all -S segv,bus -p <pid> &

as root, where <pid> is the PID of the process that you want to catch a core dump of. Now, when the program crashes with one of the specified signals, it will hang around in a stopped state. You can then do:

    gcore <pid>

as root to force the process to dump core. (The gcore program is worth knowing about in general; you can use it on Solaris to force a program to dump core at any arbitrary point, which can be invaluable for debugging purposes.)

Once you have your core file, you can let the process finish crashing with:

    prun <pid>

The program will then finish catching the fatal signal and die.

The above technique can also be used to catch core dumps from processes that have their core dump rlimit set to zero for some reason.

Alternatively, you can also turn on core dumps for all setuid processes by putting:

    allow_setid_core = 1

in /etc/system and rebooting, but this is an insecure configuration to run in permanently and should be changed back as soon as debugging has finished.

Last spun 2022-02-06 from thread modified 2013-01-04