[PATCH] UBUNTU: SAUCE: ptrace: restrict ptrace scope to children

Kees Cook kees.cook at canonical.com
Wed May 26 20:49:14 UTC 2010


Hi Tim,

On Wed, May 26, 2010 at 01:31:07PM -0600, Tim Gardner wrote:
> Is it safe to assume that developers that might encounter this minor
> restriction would also have ubuntu-dev-tools installed? We could add
> something to that package that swizzles
> /proc/sys/kernel/ptrace_scope, thereby avoiding inconvenience to
> developers while still providing a good test for the normal install.

That's certainly a good idea.  I can put the question to ubuntu-devel.  The
two classes of people hit by this are "developers" and "sysadmins", both
really nebulous classes.  If ubuntu-dev-tools adds a setting to
/etc/sysctl.d/, that could work.  For sysadmins, I still think it would be
best to retrain them to either use "sudo" or temporarily turn on the
ptrace_scope setting, as the rest of their system probably shouldn't have
ptrace enabled normally.  Regardless, I expect a lively discussion.  :)

-Kees

-- 
Kees Cook
Ubuntu Security Team




More information about the kernel-team mailing list