Review Request 117157: Unlock session via DBus

Thomas Lübking thomas.luebking at gmail.com
Sun Mar 30 18:32:02 BST 2014


On Sonntag, 30. März 2014 19:14:32 CEST, Thiago Macieira wrote:

>> /proc/sys/kernel/yama/ptrace_scope
>
> I'd never heard of Yama.
https://www.kernel.org/doc/Documentation/security/Yama.txt
Kinda new, but it's a stock kernel feature:
http://kernelnewbies.org/Linux_3.4


>> On top of this, one could also have ksmserver 
>> PTRACE_ATTACH/SEIZE itself (at
>> least on linux that used to be a singleton feature), but root access more
>> or less implies "game over" in this context (you could simply replace
>> ksmserver or the greeter app with a "fixed" variant and wait for the next
>> incident)
>
> Usually, root access and same-user access imply game-over. Which is why I 
> think this feature should be allowed in.

There's actually also prctl(PR_SET_DUMPABLE, ...) that can protect against debugging (more reliable than ptracing oneself and available since 2.3.20 ... ie. "ever") - protection against same-uid is lately been taken more seriously and the share of gdb users should be rather low.
Also Ubuntu apparently recently set ptrace_scope to one by default lately (apparently caused some help requests on ubuntuforums =)

I know that Arch has it set since a couple of month.

Cheers,
Thomas





More information about the kde-core-devel mailing list