How come no core dump is create when an application has SUID set?

The memory of a setuid program might (is likely to, even) contain confidential data. So the core dump would have to be readable by root only.

If the core dump is owned by root, I don't see an obvious security hole, though the kernel would have to be careful not to overwrite an existing file.

Linux disables core dumps for setxid programs. To enable them, you need to do at least the following (I haven't checked that this is sufficient):

  • Enable setuid core dumps in general by setting the fs.suid_dumpable sysctl to 2, e.g. with echo 2 >/proc/sys/fs/suid_dumpable. (Note: 2, not 1; 1 means “I'm debugging the system as a whole and want to remove all security”.)
  • Call prctl(PR_SET_DUMPABLE, 1) from the program.

The core dump contains a copy of everything which was in memory at the time of the fault. If the program is running suid, that means it needs access to something which you, as a user, do not have access to. If the program gets that information then dumps core, you'll be able to read that privileged information.

From your example above, it appears that you're able to get a core dump when running as root or if you remove the privilege escalation.

While it might be handy (for developers only methinks) to have easy access to a coredump from a setuid program, it is a security hole, and should be left in place.