zoukankan      html  css  js  c++  java

  • Ptrace_scope的作用及设置

    echo "0"|sudo tee /proc/sys/kernel/yama/ptrace_scope

    Short answer: no practical danger yet, but read on for a better way...

    What's this ptrace thing anyway?

    this is due to a bug in the Ubuntu kernel that prevents ptrace and WINE playing well together.

    • No, ptrace protection is a deliberate kernel security measure first introduced around Ubuntu 10.10. It's not a bug, and so isn't going to be "fixed".

    • In simple terms, the default ptrace_scope value of 1 blocks one process from examining and modifying another process unless the second process (child) was started by the first process (parent).

    • This can cause problems with some programs under Wine because of the way wineserver provides "Windows Services" to these programs.

    What are the risks in setting ptrace_scope to 0?

    • This restores the old behavior where one process can "trace" another process, even if there is no parent-child relationship.

    • In theory, a piece of malware can use this to harm you/your computer; e.g. it can attach to Firefox and log all of your URLs/passwords, etc. In practice this is extremely unlikely unless you blindly install binary debs from random sites, etc.

    • As far as debugging goes, the 0 settings is in fact required for gdb, strace, etc. to attach to non-children unless you run them with elevated privileges (sudo).

    What are the problems with the workaround?

    • The workaround is somewhat problematic because ptrace_scope is a global value, and while it's set to 0, all processes on your system are exempt from the non-child restriction.
    • If you use the workaround, put it in a simple bash script that enables it, runs your Windows program and then disables (sets to 1) on exit.
      • DO NOT make ptrace_scope world-writable (666) as the forum post recommends -- that is a huge security risk because now any process can change it at will!

    Is there a better solution?

    • A better solution which is more secure and does not require repetitively modifying ptrace_scope is to grant Wineserver ptrace capabilities.

      • In a terminal:

        sudo apt-get install libcap2-bin 
sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader

      • This exempts the wineserver and wine-preloader binaries from the non-child ptrace restriction, and allows them to ptrace any process.

      • It only needs to be done once, and is safer because these binaries are usually from a trusted source - the official repositories or the official Wine PPA, so they aren't going to be malware.

    If you're using Crossover

    Install libcap2:

    sudo apt-get install libcap2-bin;

    Then, add an exception for Crossover:

    sudo setcap cap_sys_ptrace=eip /opt/cxoffice/bin/wineserver;
sudo setcap cap_sys_ptrace=eip /opt/cxoffice/bin/wine-preloader;

    Finally, add its libraries to ld.so.conf (or you will get "error while loading shared libraries: libwine.so.1: cannot open shared object file: No such file or directory"):

    echo /opt/cxoffice/lib/ | sudo tee /etc/ld.so.conf.d/crossover.conf
sudo /sbin/ldconfig
  • 相关阅读:
    【程序员面试宝典】第五章 程序设计基本概念
    win7打开或关闭windows功能 提示“出现错误,并非所有的功能被更改”,管理员权限惹的祸
    堆排序
    目态与管态的概念
    循环不变式的概念
    getchar()函数的返回值赋给char型,用if(ch=getchar() != EOF)测试,输入ctrl+z同样可以结束循环的分析
    java算法 -- 冒泡排序
    Java算法 -- 二分查找
    Sql知识点总结
    java实现 链表反转
  • 原文地址:https://www.cnblogs.com/cane/p/3909420.html
Copyright © 2011-2022 走看看