> You have to remove the CAP_SYS_PTRACE to all processes running in the > chroot. > > You can patch the sources of your proxy to handle that by yourself > with: > > int capget(cap_user_header_t header, cap_user_data_t data); > int capset(cap_user_header_t header, const cap_user_data_t data); > > Note that this functions are Linux specific as CAP_SYS_PTRACE is Linux > and not Posix. > > But GRSecurity seems a better solution ... You could easily remove this capability globally using LCAP[1], which modifies /proc/sys/kernel/cap-bound to remove it directly. Alternatively, you could use an LKM[2] to capture and refuse any use of the ptrace syscall itself. These have the benifit of being non-kernel specific - no patches are needed. If you have a security-enhanced kernel such as grsecurity, then you should use it's built in capabilities limiting functionality though. [1] The original page seems to have gone AWOL, but you can find it in RPM form or as source here and there, such as from SecurityFocus. Do a google. [2] For example http://www.hackinglinuxexposed.com/tools/p/noptrace.c.html -- Brian Hatch Never knock on Death's door. Systems and Ring the doorbell and run. Security Engineer He hates that. http://www.ifokr.org/bri/ Every message PGP signed
This archive was generated by hypermail 2b30 : Tue Dec 31 2002 - 18:18:11 PST