Hosting Provided By

Preventing ptrace()

From: Timo Sirainen <tss(at)iki.fi>
Date: Sun Dec 29 2002 - 10:43:47 EST

While trying to prevent potentially flawed SSL libraries from causing much harm to my whole server, I've used a proxy process to handle it, chrooted to non-writable empty directory and running with a special UID.

But this still allows it to ptrace() to other proxy processes handling other connections and causing damage with them. Are there any reasonable ways to prevent this? Are there any other problems than ptrace with it?

Best I can think of now is to use a different UID for each process, but I don't really like it. This can't be done in default configuration and there's no easy way to keep track of allocated UID ranges especially if more programs started to use this method..

grsecurity seems to disallow ptrace()ing processes outside it's chroot, but even that wouldn't help me unless I created a separate chroot directory for each process. Well, maybe that would be useful as an option.. Received on Tue Dec 31 02:55:24 2002

This message: [ Message body ]
Next message: Crispin Cowan: "Re: Writing Secure code"
Previous message: Jonny Stone: "white-box test methodology"
Next in thread: Frederic Raynal: "Re: Preventing ptrace()"
Reply: Frederic Raynal: "Re: Preventing ptrace()"
Reply: Timo Sirainen: "Re: Preventing ptrace()"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:44 EDT