Re: Preventing ptrace()

From: Timo Sirainen (tssat_private)
Date: Thu Jan 02 2003 - 20:38:18 PST

Next message: Peter Gutmann: "Re: Standards for developing secure software"

Previous message: Jeff Williams @ Aspect: "Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection"
Next in thread: Jason Lunz: "Re: Preventing ptrace()"
Reply: Jason Lunz: "Re: Preventing ptrace()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 2002-12-29 at 17:43, Timo Sirainen wrote:
> While trying to prevent potentially flawed SSL libraries from causing
> much harm to my whole server, I've used a proxy process to handle it,
> chrooted to non-writable empty directory and running with a special UID.
> 
> But this still allows it to ptrace() to other proxy processes handling
> other connections and causing damage with them. Are there any reasonable
> ways to prevent this? Are there any other problems than ptrace with it?

Well, actually I should have just tested it instead of relying on my
flawed test programs..

Looks like once a process has called setuid(), no-one except root can
ptrace() it. I don't see this mentioned very clearly in any man page
though (*BSD, Linux).

Next message: Peter Gutmann: "Re: Standards for developing secure software"
Previous message: Jeff Williams @ Aspect: "Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection"
Next in thread: Jason Lunz: "Re: Preventing ptrace()"
Reply: Jason Lunz: "Re: Preventing ptrace()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:57:21 PST