change coming with maverick's 2.6.34-5 kernels
Kees Cook
kees at ubuntu.com
Tue Jun 1 17:54:00 BST 2010
On Mon, May 31, 2010 at 08:42:58AM -0400, Evan Broder wrote:
> On Mon, May 31, 2010 at 1:03 AM, Kees Cook <kees at ubuntu.com> wrote:
> > a) Using "strace -p PID" and gdb's "attach" command will NOT work
> > unless you are the root user (i.e. use "sudo strace -p PID ...")
> > Running stuff with "strace" and "gdb" directly will work normally.
>
> I'm really, really struggling with this. I guess that I can see and
> understand the motivation for the change, but I expect this to
> completely and totally throw developers for a loop, which bothers me
> because I am one, and because most of my users here at school are as
> well.
Yeah, I want to avoid as much surprise as possible. This change breaks
long-standing behavior (though I tend to think this behavior is really a
misfeature).
> I would strongly favor adding aggressive feedback directly to
> applications that use ptrace. Can we patch strace and gdb to each
> check when they get an EPERM, and if the process they're attaching to
> has the same UID, print out a message pointing users at the sysctl?
This seems like probably the most direct way to get feedback into the hands
of the people getting blocked by the change.
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list