change coming with maverick's 2.6.34-5 kernels
Matthew Garrett
mjg59 at srcf.ucam.org
Tue Jun 1 18:42:40 BST 2010
On Tue, Jun 01, 2010 at 10:38:02AM -0700, Kees Cook wrote:
> On Tue, Jun 01, 2010 at 06:26:34PM +0100, Matthew Garrett wrote:
> > So set it with pam_cap, and then hand it back to individual applications
> > with a policy?
>
> Presently there isn't a middle-ground between CAP_SYS_PTRACE (of all
> processes) and "PTRACE of my processes".
Yes, but I don't think that's the distinction you need to provide the
security you want - and doing it this way avoids unexpectedly breaking
developer applications.
--
Matthew Garrett | mjg59 at srcf.ucam.org
More information about the ubuntu-devel
mailing list