| # The ptrace system call is used for interprocess services, |
| # communication and introspection (like synchronisation, signaling, |
| # debugging, tracing and profiling) of processes. |
| # |
| # Usage of ptrace is restricted by normal user permissions. Normal |
| # unprivileged processes cannot use ptrace on processes that they |
| # cannot send signals to or processes that are running set-uid or |
| # set-gid. Nevertheless, processes running under the same uid will |
| # usually be able to ptrace one another. |
| # |
| # Fedora enables the Yama security mechanism which restricts ptrace |
| # even further. Sysctl setting kernel.yama.ptrace_scope can have one |
| # of the following values: |
| # |
| # 0 - Normal ptrace security permissions. |
| # 1 - Restricted ptrace. Only child processes plus normal permissions. |
| # 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE. |
| # 3 - No attach. No process may call ptrace at all. Irrevocable. |
| # |
| # For more information see Documentation/security/Yama.txt in the |
| # kernel sources. |
| # |
| # The default is 1., which allows tracing of child processes, but |
| # forbids tracing of arbitrary processes. This allows programs like |
| # gdb or strace to work when the most common way of having the |
| # debugger start the debuggee is used: |
| # gdb /path/to/program ... |
| # Attaching to already running programs is NOT allowed: |
| # gdb -p ... |
| # This default setting is suitable for the common case, because it |
| # reduces the risk that one hacked process can be used to attack other |
| # processes. (For example, a hacked firefox process in a user session |
| # will not be able to ptrace the keyring process and extract passwords |
| # stored only in memory.) |
| # |
| # Developers and administrators might want to disable those protections |
| # to be able to attach debuggers to existing processes. Use |
| # sysctl kernel.yama.ptrace_scope=0 |
| # for change the setting temporarily, or copy this file to |
| # /etc/sysctl.d/20-yama-ptrace.conf to set it for future boots. |
| |
| kernel.yama.ptrace_scope = 0 |