On Wed, Jun 19, 2013 at 10:44:39AM -0700, Kees Cook wrote:
> This is what /etc/sysctl.d/ is for: changing defaults.
>
> There are, in fact, real protections with this change. Namely, the delay of
> attack expansion. Take the case of a server being attacked. If there are
> ssh connections left open from that machine, without the ptrace
> restrictions, an attacker can trivially jump down the existing connections,
> expanding the scope of the attack. With the restrictions, they must
> construct a trap for the user to fall into (.bashrc, etc) and wait for
> re-establishment of connections before credential theft can occur. The same
> is true for various desktop scenarios. Full user access is game-over from a
> technical perspective, but there are real-world situations where this
> restriction is an improvement.
Currently, the security benefit seems too minor to be worth the
problems it causes (as a default). However:
> Debugging applications, by default, will not be able to attach to existing
> running processes, that is certainly a down-side to the restriction.
> However, running processes under a debugger is still possible, and doing
> live debugging as root is still possible. The root user using "strace -p"
> is a very common sysadmin workflow, and it's affected by this restriction.
> Ubuntu carries patches to gdb, strace, and ltrace that contain more helpful
> error messages, so maybe Debian could carry those as well.
Right, that's the sort of thing I would want in place before making
this the default. It would be better still if you could get those
changes into the upstream versions.
> Unfortunately, many upstreams have repeatedly refused to use the "dumpable"
> flag like ssh-agent does (e.g. gpg), so it won't work as a general
> solution. Blocking sibling ptracing also improves container security.
What were the reasons given for that?
> This is a good default, and if specific system owners don't want it
> enabled, they can choose to turn it off in /etc/sysctl.d/, just like other
> things.
Of course, but they have to know about it first.
Ben.
--
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
- Albert Camus
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
