How to controll the path and permission of '/tmp/sigdump-[0-9]+.log' files at the systemd shutdown.

[kuzukami]

I want to fasten permission of files to ensure system security from the CIS view point.

In my setup td-agent 1.3.3 of CentOS7, '/tmp/sigdump-[0-9]+.log' are unexpectedly dumped on every shudown of systemd td-agentd service. Furthermore, the almost fully opened permission of sigdump files (666 on my environment) cannot be controlled by either the 'UMask' setting or the ' file_permission' setting of configuration file. (relation? : https://github.com/fluent/fluentd/pull/1152 )

As far as I read the fluentd document, the sigdump files are written (only?) if the fluentd receives the SIGCONT signal. If the implementation of the sigdump behavior has no bug, the descriptions below could be appended in the document.

1. the event of dumping sigdump in the standard setup of td-agent
2. how to control the path of sigdump file. env SIGDUMP_PATH? (https://github.com/frsyuki/sigdump/blob/master/lib/sigdump.rb')
3. how to control the permission of sigdump file. ( I cannot found the solution. )
4. how to remove or suppress the sigdump files

[fujimotos]

As a point of clarification, td-agent is not really supposed to create a dump file on every shutdown; If your td-agent is keep receiving SIGCONT on shutdown, there is probably something wrong with the systemd configuration.

2. how to control the path of sigdump file. env SIGDUMP_PATH?

Yes. You should be able to change the output path by setting the environment variable SIGDUMP_PATH.

3. how to control the permission of sigdump file.

Right now there is no way to change it. We'll need to submit a patch to frsyuki/sigdump to add the feature.

4. how to remove or suppress the sigdump files

I think you can either remap the signal to something not used (i.e. SIGUSR2), or set SIGDUMP_PATH to - (which means "output the dump to stdout").