[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New proposed system group "scap" and setuid binary "dumpcalls"

On Mon, Oct 06, 2025 at 05:15:47PM +0200, Bastian Blank wrote:
> On Mon, Oct 06, 2025 at 05:01:39PM +0200, Bálint Réczey wrote:
> > > From my view: it needs to employ the "can ptrace" check for any
> > > monitored process.
> > I think that would also be against the monitoring's usefulness. Not
> > ptrace-able processes can cause issues to be triaged, too.
> 
> In that case you need to go through the normal elevation rules.  So
> either sudo oder packagekit.

I think you may mean PolicyKit? But yes, ideally this would use
PolicyKit rather than a group-limited setuid/setcap binary.

In the absence of that, the group at least needs to be documented as
root-equivalent, since systemwide monitoring of syscalls on privileged
processes almost certainly is.
Reply to: