Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()
On Sun, Apr 27, 2008 at 06:22:38PM +0200, Florian Weimer wrote:
> * Josselin Mouette:
> > Given that it seems unlikely that we obtain another solution, should we
> > start right now with that stuff?
> I think it's a bit foolish to abuse SGID bits to take away permissions.
> This kind of restriction is essentially a configuration option, and
> applying it to the wrong program may break tools like fakeroot. This
> information should not be stored under /usr.
> There has to be a cleaner solution, such as a sysctl that, when enabled,
> restricts ptrace to root.
... which will then be disabled on any system where a user needs to debug
any application, leaving everything vulnerable to ptrace attacks as before.
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/