Disable ptrace for kcheckpass and the greeter

Review Request #126203 - Created Nov. 30, 2015 and submitted

Information
Martin Flöser
kscreenlocker
Reviewers
plasma
berner

Setting the PR_SET_DUMPABLE flag to 0 for the security relevant
command kcheckpass and kscreenlocker_greet. If one wants to gdb into
the running command it will result in:

ptrace: Operation not permitted.

For kscreenlocker_greet ptrace is permitted in testing mode.

As root it's still possible to attach to the process.


@Tobias: I assume this is a strong linux-ism. Is there a FreeBSD compareable functionality?

I'm considering to push this explicitly without an ifdef. It's a new security feature and I want to make non-Linux systems aware of the fact that it adds a new feature and that a replacement should be added.

Tried to gdb into the processes: failed
Tried to gdb into kscreenlocker_greet --testing: succeeded
Tried to gdb into kscreenlocker_greet as root: succeeded

Issues

  • 0
  • 4
  • 0
  • 4
Description From Last Updated
Tobias Berner
Raphael Kubo da Costa
Martin Flöser
Raphael Kubo da Costa
Martin Flöser
Raphael Kubo da Costa
Martin Flöser
Review request changed

Status: Closed (submitted)

Change Summary:

Submitted with commit 88a497e4c6b7599cf859703e25d65ba8bb2873ce by Martin Gräßlin to branch master.
Loading...