# This file is managed by puppet. # # The PTRACE system is used for debugging. With it, a single user process # can attach to any other dumpable process owned by the same user. In the # case of malicious software, it is possible to use PTRACE to access # credentials that exist in memory (re-using existing SSH connections, # extracting GPG agent information, etc). # # A PTRACE scope of "0" is the more permissive mode. A scope of "1" limits # PTRACE only to direct child processes (e.g. "gdb name-of-program" and # "strace -f name-of-program" work, but gdb's "attach" and "strace -fp $PID" # do not). The PTRACE scope is ignored when a user has CAP_SYS_PTRACE, so # "sudo strace -fp $PID" will work as before. For more details see: # https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace # # For applications launching crash handlers that need PTRACE, exceptions can # be registered by the debugee by declaring in the segfault handler # specifically which process will be using PTRACE on the debugee: # prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0); # # In general, PTRACE is not needed for the average running Ubuntu system. # To that end, the default is to set the PTRACE scope to "1". This value # may not be appropriate for developers or servers with only admin accounts. kernel.yama.ptrace_scope = 0