
An obscure kernel feature to get more info about dying processes - ice799
http://timetobleed.com/an-obscure-kernel-feature-to-get-more-info-about-dying-processes/
======
Marticus
This is actually quite interesting - I didn't know you could do that, and I
will likely employ it in the future, especially with a remote web server or
something you can't immediately get to. So as you roll in, you check your
email on your phone, and know walking in what you're getting into and likely
how to fix it. From a time-optimization viewpoint, this is nigh-invaluable.

Plus this guy has some other very nifty articles.

But I guess (glancing at first few comments) that "haterz gonna hate."

------
gxti
Fedora's Automated Bug Reporting Tool (abrt) uses this to automatically
produce crash reports, which you can sanitize and approve to post in a central
location for developers. I imagine that Ubuntu does something similar.

------
tzs
So what happens if the helper application crashes and tries to dump core?
Would it try to run another instance of it to handle that crash, and so on,
leading to a "core bomb"?

------
barrkel
It is nice to know that Linux has this feature, but it essentially amounts to
a JIT debugger, and has been in other OSes for a long time. In Windows, it's
been there since at least NT 4.

------
JoeAltmaier
Hook root when a process crashes? How long until an exploit?

~~~
InclinedPlane
If you have the ability to modify or create files in /proc you almost
certainly already control the system.

~~~
dododo
on the other hand, it makes for an interesting rootkit hook.

~~~
FooBarWidget
Which is more dangerous than all the others things you can do as root - like
inserting an arbitrary kernel module - how?

~~~
InclinedPlane
Dangerous: no, but he said interesting, so perhaps. The advantage of using
little known features, for rootkits, is that people are less likely to look
for them.

