-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
runtime: provide a way to opt in to stack trace printing for process-terminating signals in secure-mode binaries on Unix OSes #69868
Comments
#68103 is an interesting related bug. It looks like the |
CC @golang/runtime @golang/security |
I'm somewhat concerned about all of a sudden giving debug.SetTraceback security properties which it previously didn't. Everyone who has set a non-default traceback value will, all of a sudden, have disabled a security feature that may not be aware of. In general, letting this be a switch set in code is somewhat complicated from a security perspective. What the developer wants and expects is likely to be somewhat different from what the person deploying the binary wants/expects, especially if they are using the various capability restriction/elevation features. In particular I'm not sure if there is really a way to make it clear to users whether the developer has called debug.SetTraceback, and as such if potentially sensitive data will be elided or not. |
It's currently the case today that
I'm definitely sympathetic to this idea. However, the change in #60272 causes the program to completely ignore GOTRACEBACK (rather than, say, setting a different default value). So the knob that's most easily available to the deployer of the binary (an environment variable) cannot control this setting; the only (partial) knob that's available is For my needs, I don't particularly care whether the solution is |
This probably needs a proposal to move forward. |
I can turn this into a proposal, but I'd appreciate some feedback about what direction the runtime/security folks would find most palatable. By the way, I should say that from my perspective as a user, I'm not asking for a new feature but rather a fix for a regression. We had a program that produced stack traces when it crashed, but since the changes in #60272, it has produced useless empty output instead. This includes cases where tests deadlock and produce no output when they are killed with SIGQUIT, making them impossible to debug. (The test binary is given CAP_SYS_ADMIN in order to exercise certain containerization functionality.) |
In compiler/runtime triage, we think this might be best as a new API (not exactly sure what form it should take), though whatever we do needs @rolandshoemaker's input. |
Go version
go version go1.23.1 linux/amd64
Output of
go env
in your module/workspace:What did you do?
Consider two trivial go programs. First,
sleep.go
:Second,
panic.go
:First, run
sleep.go
and then interrupt it by hittingC-\
(SIGQUIT):Next, run
panic.go
in the same way:All normal stuff. Now let's do the same thing but with a binary that has
CAP_SYS_ADMIN
:In both cases (SIGQUIT and a normal panic), printing stack traces is suppressed by the Go runtime. This is a security measure implemented last year in #60272.
If I want to bypass this stack trace suppression anyway, I can do so for panics by calling
runtime/debug.SetTraceback
. For example, If I add the lineto
panic.go
, then it restores the normal unprivileged panic stack trace printing behavior:However, as far as I know, there is no equivalent way to opt in to the default signal-handling stack trace printing behavior. If I want to print stack traces on SIGQUIT, I'd have to listen for the signal and do it myself.
What did you see happen?
No way to turn on stack trace printing for process-terminating signals for this
CAP_SYS_ADMIN
binary.What did you expect to see?
I believe there should be a way to ask the runtime to print stack traces on SIGQUIT when running in secure mode. One way to to this would be to piggyback on
debug.SetTraceback
and restore the signal stack trace printing behavior whenSetTraceback
is called with some value other than "none" (or perhaps only when called with "all" or "single", or perhaps only when called with "all").Alternatively, we can provide a new API such as
runtime/debug.SetSignalTraceback(bool)
.cc:
The text was updated successfully, but these errors were encountered: