change coming with maverick's 2.6.34-5 kernels
Kees Cook
kees at ubuntu.com
Tue Jun 1 17:51:54 BST 2010
On Mon, May 31, 2010 at 07:21:08AM +0200, Martin Pitt wrote:
> Kees Cook [2010-05-30 22:03 -0700]:
> > - add a file to /etc/sysctl.d/ that restores the PTRACE scope to "0"
> > if a specific package is installed (e.g. ubuntu-dev-tools; something
> > that the normal user will not install).
>
> This would be too unexpected and surprising IMHO. I'd rather ship a
> file 10-ptrace-security.conf by default with the re-enabling sysctl
> commented out, so that it's easy to re-enable without looking for
> docs.
Yeah, this is probably correct. It's what we do for things like
syncookies already.
The trouble this change faces is the surprise factor for things suddenly
not working. I feel like the sysctl docs is pretty good for sysadmins, but
probably not the best option for developers. That said, I'm uncomfortable
with a package disabling the protection unconditionally.
For mmap_min_addr, I added a debconf question to the wine package. Should
I do the same for ubuntu-dev-tools maybe?
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list