[GLLUG] Does anyone use Linux capabilities ?

Nix nix at esperi.org.uk
Thu Nov 13 22:28:18 UTC 2014


On 28 Oct 2014, Andy Smith outgrape:

> Hello,
>
> On Tue, Oct 28, 2014 at 05:34:03PM +0000, Alain Williams wrote:
>> On Tue, Oct 28, 2014 at 05:28:41PM +0000, Andy Smith wrote:
>> > Ditto, but also to trace processes (lsof, strace and friends). In
>> > recent kernels non-root user can't even strace their own processes.
>> 
>> !!! That is taking one of my favourite toys away!
>
> Only relevant if your distribution uses the YAMA LSM. Ubuntu does.

... and obviously you can turn it off if you're actually using something
that needs to ptrace() -- but a lot of systems never run anything that
needs to ptrace() or access memory of other processes, even other
processes owned by the same user. YAMA stops attackers doing that, too,
even if they manage to run arbitrary code. (In practice, I doubt this
helps much: they can elevate to root easily enough, and then they can
pervert the kernel via countless routes, or just replace your binaries
and wait for you to run them again, and then all bets are off.)

-- 
NULL && (void)




More information about the GLLUG mailing list