[PATCH] UBUNTU: SAUCE: ptrace: restrict ptrace scope to children

[Scott James Remnant]

On Thu, 2010-05-13 at 01:33 -0700, Kees Cook wrote:

> This patch is specifically for blocking access to processes that hold
> credentials in memory but don't set prctl[1].  This change pro-actively
> helps protect such scenarios.
> 
Why don't you just fix the apps concerned to use prctl() or to lock
their memory?

> > So your patch adds inconvenience for no additional security, thus I
> > object to this.
> 
> Having developers/admins use sudo or add a file to /etc/sysctl.d to
> restore the original PTRACE behavior isn't much of an inconvenience.
> 
I disagree in the strongest terms.

If security gets in the way of people using their computers, they will
simply disable it.

  Fedora's SELinux policy

  Windows' UAC

Being able to debug processes running as your user is an important tool
for developers.  This will annoy the hell out of them, and they will
disable your patch.

That means we'll get less testing of your patch, and potential problems
will be hidden from us until release.

I really dislike these meme that it's acceptable for developers to have
to add toggles or files to restore a system to a state they can work
with; not because we should be developer focussed, but because our
developers are still our primary testers.


I would far prefer to individual apps jailed from each other entirely,
empathy shouldn't be *able* to exec firefox, etc.

Scott
-- 
Scott James Remnant
scott at ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20100513/aaa546ae/attachment.sig>