SELinuxDenyPtrace and security by default
Posted Apr 12, 2012 6:31 UTC (Thu) by JoeBuck
Parent article: SELinuxDenyPtrace and security by default
"if you understand what ptrace or gdb are, you probably can figure out how to turn this feature off."
What Dan misses is that his employer has sold a number of large deployments to corporate customers, where the software developers don't have root on the systems they use. What he also doesn't seem to sufficiently appreciate is that if a security feature has to be turned off to diagnose any problems, everyone will wind up being forced to turn it off so he might has well have saved the work and not bothered with the feature.
That said, of course ptrace can be a security issue. Maybe there can be a more sophisticated way of limiting its use. For example, I don't want my browser, or any helper app that it launches, to be able to ptrace, but if I start a debugger from my terminal, it should be able to trace any non-setuid process I own. Come up with a way to prevent processes we don't expect to use ptrace to be forbidden to do it.
to post comments)