SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Miloslav Trmač
mitr at volny.cz
Sun Apr 8 23:01:49 UTC 2012
On Sun, Apr 8, 2012 at 10:50 PM, Tom Lane <tgl at redhat.com> wrote:
> And, as I said, the alternative is that this gets turned off, by me
> and probably a very large fraction of other Fedora users. How is
> that "more secure"?
Perhaps people installing servers in high-risk situations could just
not turn it off. OTOH in high-risk situations there are usually quite
a few non-default settings, so that's not a great reason.
I think a case can be made for disabling ptrace by default to protect
ordinary users, at the cost of annoying developers or with one more
step - but it's a weak case that would need much more discussion and
experience than the originally proposed feature. Kevin's report that
this breaks DrKonqi is a fairly good reason not to disable ptrace by
default.
Mirek
More information about the devel
mailing list