in distro Name: Fedora Linux 40 (Forty) Version: 40 Codename: uname -rm 6.10.3-200.fc40.x86_64 x86_64 default ptrace is DISABLED, cat /usr/lib/sysctl.d/10-default-yama-scope.conf ... kernel.yama.ptrace_scope = 0 grep -iE "yama|ptrace" /boot/config-6.10.3-200.fc40.x86_64 # CONFIG_YAMAHA_YAS530 is not set CONFIG_SECURITY_YAMA=y CONFIG_LSM="lockdown,yama,integrity,selinux,bpf,landlock" provided by rpm -q --whatprovides /usr/lib/sysctl.d/10-default-yama-scope.conf elfutils-default-yama-scope-0.191-4.fc40.noarch required by dnf repoquery --requires elfutils-default-yama-scope !! /bin/sh listed as 'medium' severity at, e.g., RHEL 9 must restrict usage of ptrace to descendant processes. https://www.stigviewer.com/stig/red_hat_enterprise_linux_9/2023-09-13/finding/V-257811 "Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH sessions, web browser, etc.) without any additional assistance from the user (i.e., without resorting to phishing). Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227" & Protect against ptrace of processes: kernel.yama.ptrace_scope https://linux-audit.com/protect-ptrace-processes-kernel-yama-ptrace_scope/ both recommend kernel.yama.ptrace_scope > 0 it's been discussed at great length @ Fedora/RH long ago, Bug 1209492 - BUG: Yama blocks ptrace'ing my own process https://bugzilla.redhat.com/show_bug.cgi?id=1209492 Bug 1250178 - Review Request: yama-config-disable-ptrace - Disable Yama ptrace restrictions at boot https://bugzilla.redhat.com/show_bug.cgi?id=1250178 in the above discussions, use cases including "password manager" are bandied about. it's recently raised its head in a password manager -- 1password, specifically https://1password.community/discussion/comment/715818/#Comment_715818 , which had/has affected a significant # of users here. afaict (?) no further discussion @ RH BZ since the 2015 thread, the original assignee left RH, off to MS, and, the "= 0" default remains as of today, stating clearly @ /usr/lib/sysctl.d/10-default-yama-scope.conf ... # This runtime kernel parameter can be set to the following options: !! # (Note that setting this to anything except zero will break programs!) ... given the advisories, the current effects on userspace apps, and other distros' (Debian/Ubuntu at least) switch to "=1", what's the current rationale for keeping the Fedora *default* sysctl = 0? -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
