change coming with maverick's 2.6.34-5 kernels

Matthew Garrett mjg59 at srcf.ucam.org
Tue Jun 1 18:42:40 BST 2010


On Tue, Jun 01, 2010 at 10:38:02AM -0700, Kees Cook wrote:
> On Tue, Jun 01, 2010 at 06:26:34PM +0100, Matthew Garrett wrote:
> > So set it with pam_cap, and then hand it back to individual applications 
> > with a policy?
> 
> Presently there isn't a middle-ground between CAP_SYS_PTRACE (of all
> processes) and "PTRACE of my processes".

Yes, but I don't think that's the distinction you need to provide the 
security you want - and doing it this way avoids unexpectedly breaking 
developer applications.

-- 
Matthew Garrett | mjg59 at srcf.ucam.org



More information about the ubuntu-devel mailing list