On Sun, 2002-12-29 at 17:43, Timo Sirainen wrote: > While trying to prevent potentially flawed SSL libraries from causing > much harm to my whole server, I've used a proxy process to handle it, > chrooted to non-writable empty directory and running with a special UID. > > But this still allows it to ptrace() to other proxy processes handling > other connections and causing damage with them. Are there any reasonable > ways to prevent this? Are there any other problems than ptrace with it? Well, actually I should have just tested it instead of relying on my flawed test programs.. Looks like once a process has called setuid(), no-one except root can ptrace() it. I don't see this mentioned very clearly in any man page though (*BSD, Linux).
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:57:21 PST