Re: Preventing ptrace()

From: Timo Sirainen (tssat_private)
Date: Thu Jan 02 2003 - 20:38:18 PST

  • Next message: Peter Gutmann: "Re: Standards for developing secure software"

    On Sun, 2002-12-29 at 17:43, Timo Sirainen wrote:
    > While trying to prevent potentially flawed SSL libraries from causing
    > much harm to my whole server, I've used a proxy process to handle it,
    > chrooted to non-writable empty directory and running with a special UID.
    > 
    > But this still allows it to ptrace() to other proxy processes handling
    > other connections and causing damage with them. Are there any reasonable
    > ways to prevent this? Are there any other problems than ptrace with it?
    
    Well, actually I should have just tested it instead of relying on my
    flawed test programs..
    
    Looks like once a process has called setuid(), no-one except root can
    ptrace() it. I don't see this mentioned very clearly in any man page
    though (*BSD, Linux).
    



    This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:57:21 PST