Hello, Not really here to defend the current setting. But I have run with it set to 1 for several years and have not noticed any real issues.
-Steve On Monday, August 12, 2024 10:27:18 AM EDT pgnd wrote: > in > > distro > Name: Fedora Linux 40 (Forty) > Version: 40 > Codename: > > uname -rm > 6.10.3-200.fc40.x86_64 x86_64 > > > default ptrace is DISABLED, > > cat /usr/lib/sysctl.d/10-default-yama-scope.conf > ... > kernel.yama.ptrace_scope = 0 > > grep -iE "yama|ptrace" /boot/config-6.10.3-200.fc40.x86_64 > # CONFIG_YAMAHA_YAS530 is not set > CONFIG_SECURITY_YAMA=y > CONFIG_LSM="lockdown,yama,integrity,selinux,bpf,landlock" > > provided by > > rpm -q --whatprovides /usr/lib/sysctl.d/10-default-yama-scope.conf > elfutils-default-yama-scope-0.191-4.fc40.noarch > > required by > > dnf repoquery --requires elfutils-default-yama-scope > !! /bin/sh > > listed as 'medium' severity at, e.g., > > RHEL 9 must restrict usage of ptrace to descendant processes. > > https://www.stigviewer.com/stig/red_hat_enterprise_linux_9/2023-09-13/find > ing/V-257811 > "Unrestricted usage of ptrace allows compromised binaries to > run ptrace > on other processes of the user. Like this, the attacker can steal > sensitive information from the target processes (e.g., SSH sessions, web > browser, etc.) without any additional assistance from the user (i.e., > without resorting to phishing). Satisfies: SRG-OS-000132-GPOS-00067, > SRG-OS-000480-GPOS-00227" > & > > Protect against ptrace of processes: kernel.yama.ptrace_scope > > https://linux-audit.com/protect-ptrace-processes-kernel-yama-ptrace_scope/ > > both recommend > > kernel.yama.ptrace_scope > 0 > > it's been discussed at great length @ Fedora/RH long ago, > > Bug 1209492 - BUG: Yama blocks ptrace'ing my own process > https://bugzilla.redhat.com/show_bug.cgi?id=1209492 > > Bug 1250178 - Review Request: yama-config-disable-ptrace - Disable Yama > ptrace restrictions at boot > https://bugzilla.redhat.com/show_bug.cgi?id=1250178 > > in the above discussions, use cases including "password manager" are > bandied about. > it's recently raised its head in a password manager -- 1password, > specifically > https://1password.community/discussion/comment/715818/#Comment_715818 > > , which had/has affected a significant # of users here. > > afaict (?) no further discussion @ RH BZ since the 2015 thread, > the original assignee left RH, off to MS, > and, the "= 0" default remains as of today, stating clearly @ > > /usr/lib/sysctl.d/10-default-yama-scope.conf > > ... > # This runtime kernel parameter can be set to the following options: > !! # (Note that setting this to anything except zero will break > programs!) ... > > given the advisories, the current effects on userspace apps, and other > distros' (Debian/Ubuntu at least) switch to "=1", what's the current > rationale for keeping the Fedora *default* sysctl = 0? > -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
