Hello, You have to remove the CAP_SYS_PTRACE to all processes running in the chroot. You can patch the sources of your proxy to handle that by yourself with: int capget(cap_user_header_t header, cap_user_data_t data); int capset(cap_user_header_t header, const cap_user_data_t data); Note that this functions are Linux specific as CAP_SYS_PTRACE is Linux and not Posix. But GRSecurity seems a better solution ... On Sun, Dec 29, 2002 at 05:43:47PM +0200, Timo Sirainen wrote: > > grsecurity seems to disallow ptrace()ing processes outside it's chroot, > but even that wouldn't help me unless I created a separate chroot > directory for each process. Well, maybe that would be useful as an > option.. > I did not check that, but the new ACL system in GRSecurity lets you handle capabilities, so maybe the simplest solution will be to disallow CAP_SYS_PTRACE for your proxy. -- Frederic RAYNAL http://www.security-labs.org/ Redacteur en chef de M.I.S.C. Multi-Systems & Internet Security Cookbook
This archive was generated by hypermail 2b30 : Tue Dec 31 2002 - 15:18:08 PST