Re: Preventing ptrace()

From: Glynn Clements (glynn.clementsat_private)
Date: Mon Jan 13 2003 - 04:23:40 PST

  • Next message: David Wheeler: "Writing Secure code"

    Steffen Dettmer wrote:
    
    > > In 2.4.20, the actual permission checks for ptrace() are (from
    > > kernel/ptrace.c):
    > > 
    > > 	if (!task->mm->dumpable && !capable(CAP_SYS_PTRACE))
    > > 		goto bad;
    > 
    > This is really "&&"?
    
    Yep; cut-n-paste'd from the 2.4.20 source code. Note that a similar
    situation applies to the previous set of checks as well.
    
    > I had guessed, that if there is no
    > CAP_SYS_PTRACE, there is no ptrace allowed at all, and same
    > sounds logical for the "dumpable". What I'm missing?
    
    I don't know for sure, but it would appear that the capability is
    meant to override the ad-hoc mechanism. The following comment in
    kernel/sys.c suggests that the capability-handling code deals with uid
    manipulation issues itself.
    
     * cap_emulate_setxuid() fixes the effective / permitted capabilities of
     * a process after a call to setuid, setreuid, or setresuid.
     *
     *  1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
     *  {r,e,s}uid != 0, the permitted and effective capabilities are
     *  cleared.
     *
     *  2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
     *  capabilities of the process are cleared.
     *
     *  3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
     *  capabilities are set to the permitted capabilities.
     *
     *  fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should 
     *  never happen.
    
    -- 
    Glynn Clements <glynn.clementsat_private>
    



    This archive was generated by hypermail 2b30 : Mon Jan 13 2003 - 07:53:43 PST