Limiting access to ptrace() call in Linux

Ability to trace and debug software on servers is not needed for most users. Giving them right to trace processes may leak information and if ptrace() is vulnerable lead to more problems.

Sptrace is a secure ptrace() Linux Kernel Module (LKM). It limits users’ access to the ptrace() call. It can disable strace (and ltrace) altogether, or if you add a ptrace group to your system, only users in that group will be able to use ptrace() call.

When someone not allowed to trace processes uses program that call ptrace() current and parent processes names, pids, uids and euids are logged, e.g.:

Dec 29 00:39:27 techie kernel: sptrace: ptrace() DENIED for (strace:28733) UID(1000) EUID(1000), parent (strace:28732) UID(1000) EUID(1000)
Dec 29 00:39:40 techie kernel: sptrace: ptrace() DENIED for (ltrace:28745) UID(1000) EUID(1000), parent (ltrace:28744) UID(1000) EUID(1000)

New version was just adjusted to reflect changes in Linux and was tested with latest kernel version available (2.6.23). Support for 2.4 line is still there, but it is no longer tested.

Download: sptrace-1.4.1.tar.gz (.asc)

md5sum: d0b58eced8f60e696c39dfaf4b306771
sha1sum: 49696880b92837e35e16b6a34c346b00084df4e2

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

This site uses Akismet to reduce spam. Learn how your comment data is processed.