码迷,mamicode.com
首页 > 其他好文 > 详细

Ptrace_scope的作用及设置

时间:2014-08-13 12:36:16      阅读:697      评论:0      收藏:0      [点我收藏+]

标签:des   http   os   io   strong   for   ar   art   

Short answer: no practical danger yet, but read on for a better way...


What‘s this ptrace thing anyway?

this is due to a bug in the Ubuntu kernel that prevents ptrace and WINE playing well together.

  • No, ptrace protection is a deliberate kernel security measure first introduced around Ubuntu 10.10. It‘s not a bug, and so isn‘t going to be "fixed".

  • In simple terms, the default ptrace_scope value of 1 blocks one process from examining and modifying another process unless the second process (child) was started by the first process (parent).

  • This can cause problems with some programs under Wine because of the way wineserver provides "Windows Services" to these programs.

What are the risks in setting ptrace_scope to 0?

  • This restores the old behavior where one process can "trace" another process, even if there is no parent-child relationship.

  • In theory, a piece of malware can use this to harm you/your computer; e.g. it can attach to Firefox and log all of your URLs/passwords, etc. In practice this is extremely unlikely unless you blindly install binary debs from random sites, etc.

  • As far as debugging goes, the 0 settings is in fact required for gdb, strace, etc. to attach to non-children unless you run them with elevated privileges (sudo).

What are the problems with the workaround?

  • The workaround is somewhat problematic because ptrace_scope is a global value, and while it‘s set to 0, all processes on your system are exempt from the non-child restriction.
  • If you use the workaround, put it in a simple bash script that enables it, runs your Windows program and then disables (sets to 1) on exit.
    • DO NOT make ptrace_scope world-writable (666) as the forum post recommends -- that is a huge security risk because now any process can change it at will!

Is there a better solution?

  • A better solution which is more secure and does not require repetitively modifying ptrace_scope is to grant Wineserver ptrace capabilities.

    • In a terminal:

      sudo apt-get install libcap2-bin 
      sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
      sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
      
    • This exempts the wineserver and wine-preloader binaries from the non-child ptrace restriction, and allows them to ptrace any process.

    • It only needs to be done once, and is safer because these binaries are usually from a trusted source - the official repositories or the official Wine PPA, so they aren‘t going to be malware.

If you‘re using Crossover

Install libcap2:

sudo apt-get install libcap2-bin;

Then, add an exception for Crossover:

sudo setcap cap_sys_ptrace=eip /opt/cxoffice/bin/wineserver;
sudo setcap cap_sys_ptrace=eip /opt/cxoffice/bin/wine-preloader;

Finally, add its libraries to ld.so.conf (or you will get "error while loading shared libraries: libwine.so.1: cannot open shared object file: No such file or directory"):

echo /opt/cxoffice/lib/ | sudo tee /etc/ld.so.conf.d/crossover.conf
sudo /sbin/ldconfig

Ptrace_scope的作用及设置,布布扣,bubuko.com

Ptrace_scope的作用及设置

标签:des   http   os   io   strong   for   ar   art   

原文地址:http://www.cnblogs.com/cane/p/3909420.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!