headers
Alexander Kriegisch | 1 Feb 05:48
Favicon

Problem with ptrace protection in Ubuntu

Hi.

I am running andLinux/coLinux:

$ uname -a
Linux andLinux 2.6.33.7-co-0.7.10-r1588 #1 PREEMPT Mon Aug 8 04:13:31 UTC 2011 i686 athlon i386 GNU/Linux

But...

$ cat /etc/motd | head -n 1
Welcome to Ubuntu 11.10 (GNU/Linux 2.6.33.7-co-0.7.10-r1588 i686)

Now the problem is so-called "ptrace protection", explained there:
https://wiki.edubuntu.org/SecurityTeam/Roadmap/KernelHardening#ptrace_Protection

I tried to use tools like reptyr and injcode:
https://github.com/nelhage/reptyr#readme
https://github.com/ThomasHabets/injcode#readme

Both of them do not work as expected. My suspicion is that this is due to my combination of coLinux kernel
(without yama) and new Ubuntu (relying on yama). I tried to run the tools as root (sudo -i) because I
expected ptrace protection to be inactive according to the description at Ubuntu, but to no avail.

My questions are:
  1) Can you confirm that my suscpcion is correct?
    2a) If not, what else might be the reason for my problems?
    2b) If so, is there anything I can do about it like downloading a coLinux kernel with built-in yama support
from somewhere or asking you to build in yama protection in the future?

Disclaimer: Maybe I am not asking the right questions. Please note that I am a user, not a kernel hacker.
(Continue reading)

Permalink | Reply | 4 comments |
headers
yin sun | 3 Feb 03:28
Picon

Re: Problem with ptrace protection in Ubuntu

I guess you are right, there is no yama LSM in 2.6.33.7

/Yin

On Tue, Jan 31, 2012 at 8:48 PM, Alexander Kriegisch
<kriegaex@...> wrote:
> Hi.
>
> I am running andLinux/coLinux:
>
> $ uname -a
> Linux andLinux 2.6.33.7-co-0.7.10-r1588 #1 PREEMPT Mon Aug 8 04:13:31 UTC 2011 i686 athlon i386 GNU/Linux
>
> But...
>
> $ cat /etc/motd | head -n 1
> Welcome to Ubuntu 11.10 (GNU/Linux 2.6.33.7-co-0.7.10-r1588 i686)
>
> Now the problem is so-called "ptrace protection", explained there:
> https://wiki.edubuntu.org/SecurityTeam/Roadmap/KernelHardening#ptrace_Protection
>
> I tried to use tools like reptyr and injcode:
> https://github.com/nelhage/reptyr#readme
> https://github.com/ThomasHabets/injcode#readme
>
> Both of them do not work as expected. My suspicion is that this is due to my combination of coLinux kernel
(without yama) and new Ubuntu (relying on yama). I tried to run the tools as root (sudo -i) because I
expected ptrace protection to be inactive according to the description at Ubuntu, but to no avail.
>
> My questions are:
(Continue reading)

Permalink | Reply | 3 comments |
headers
yin sun | 3 Feb 06:47
Picon

Re: Problem with ptrace protection in Ubuntu

OK, I tried on my debian 6.0.3 (latest colinux kernel), rettyer works.
And I am sure the colinux doesn't have yama. whether have yama or not
may not be your problem.
Since it only provide protection for non root user.
not sure what else could be wrong, sorry can't help you more.

/Yin

On Thu, Feb 2, 2012 at 6:28 PM, yin sun <sunyin51@...> wrote:
> I guess you are right, there is no yama LSM in 2.6.33.7
>
> /Yin
>
> On Tue, Jan 31, 2012 at 8:48 PM, Alexander Kriegisch
> <kriegaex@...> wrote:
>> Hi.
>>
>> I am running andLinux/coLinux:
>>
>> $ uname -a
>> Linux andLinux 2.6.33.7-co-0.7.10-r1588 #1 PREEMPT Mon Aug 8 04:13:31 UTC 2011 i686 athlon i386 GNU/Linux
>>
>> But...
>>
>> $ cat /etc/motd | head -n 1
>> Welcome to Ubuntu 11.10 (GNU/Linux 2.6.33.7-co-0.7.10-r1588 i686)
>>
>> Now the problem is so-called "ptrace protection", explained there:
>> https://wiki.edubuntu.org/SecurityTeam/Roadmap/KernelHardening#ptrace_Protection
>>
(Continue reading)

Permalink | Reply | 2 comments |
headers
Alexander Kriegisch | 3 Feb 14:37
Favicon

Re: Problem with ptrace protection in Ubuntu

Thanks Yin for testing this and trying to help me.

Probably you mean either reptyr or retty when you mention that you
tested this on your system (I do not know a tool named rettyer).

I do not know about Debian 6.0.3, but I guess it does not have yama in
its original kernel so there is no damage done if colinux does not have
it either. Debian 6.0.3 just does not expect it. so the test is kind of
pointless. Let me explain (again) why: I am running Ubuntu 11.10. Its
original kernel *does* have yama, so the rest of the system expects it
to exist. Probably it checks the return value of
/proc/sys/kernel/yama/ptrace_scope, but that "file" does not exist if
there is no yama. Now reptyr even knows about yama, showing a warning
message if /proc/sys/kernel/yama/ptrace_scope returns 1. As soon as I
set it to 0 on my native Ubuntu, reptyr works nicely. I guess it also
does on colinux if you use an OS which does not expect yama ptrace
protection to be in the kernel, e.g. an older Ubuntu or probably your
Debian 6.0.3.

Do you understand the issue at hand now? I hope I made myself clearer
now. Maybe you have a clue for me. Is there a way to simulate this
"file" /proc/sys/kernel/yama/ptrace_scope and make it always return 0 so
Ubuntu and reptyr are satisfied?

Thanks again
--
Alexander

yin sun, 03.02.2012 06:47:
> OK, I tried on my debian 6.0.3 (latest colinux kernel), rettyer works.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Johann Pascher | 3 Feb 18:40
Picon

Re: coLinux-users Digest, Vol 69, Issue 2

Hi Alexander Kriegisch (kriegaex),

I don't have any problem with it on Ubuntu 12.04 (speedlinux)
Did test with this example:
http://monkeypatch.me/blog/move-a-running-process-to-a-new-screen-shell.html
Best regards, Johann Pascher

2012/2/3  <colinux-users-request@...>:
> Send coLinux-users mailing list submissions to
>        colinux-users@...
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.sourceforge.net/lists/listinfo/colinux-users
> or, via email, send a message with subject or body 'help' to
>        colinux-users-request@...
>
> You can reach the person managing the list at
>        colinux-users-owner@...
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of coLinux-users digest..."
>
>
> Today's Topics:
>
>   1. Re: Problem with ptrace protection in Ubuntu (yin sun)
>   2. Re: Problem with ptrace protection in Ubuntu (yin sun)
>
>
> ----------------------------------------------------------------------
(Continue reading)

Permalink | Reply | 1 comment |
headers
Alexander Kriegisch | 4 Feb 10:56
Favicon

Re: coLinux-users Digest, Vol 69, Issue 2

Well, actually I succeeded now with simple examples like one-process,
one-I/O-channel stuff, e.g. a long-running "find /" on one console,
transferring it to another. I could not manage to get a "mc" session to
another TTY though. Maybe this is because of the sub-shell in mc. But I
am also failing at a simple "make menuconfig" because make also has a
sub-process (mconf). I can only transfer "leaves" of a process tree,
i.e. the mconf instance itself.

Do you succeed in doing such stuff?

BTW: Why is the reply-to header wrong in this list and I am always
replaying to people privately in the first try?
--
Alexander Kriegisch (kriegaex)
http://freetz.org

Johann Pascher, 03.02.2012 18:40:
> Hi Alexander Kriegisch (kriegaex),
> 
> I don't have any problem with it on Ubuntu 12.04 (speedlinux)
> Did test with this example:
> http://monkeypatch.me/blog/move-a-running-process-to-a-new-screen-shell.html
> Best regards, Johann Pascher
> 
> 2012/2/3  <colinux-users-request@...>:
>> Send coLinux-users mailing list submissions to
>>        colinux-users@...
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>        https://lists.sourceforge.net/lists/listinfo/colinux-users
(Continue reading)

Permalink | Reply | 0 comments |

Gmane