# The ptrace system call is used for interprocess services, # communication and introspection (like synchronisation, signaling, # debugging, tracing and profiling) of processes. # # Usage of ptrace is restricted by normal user permissions. Normal # unprivileged processes cannot use ptrace on processes that they # cannot send signals to or processes that are running set-uid or # set-gid. Nevertheless, processes running under the same uid will # usually be able to ptrace one another. # # Fedora enables the Yama security mechanism which restricts ptrace # even further. Sysctl setting kernel.yama.ptrace_scope can have one # of the following values: # # 0 - Normal ptrace security permissions. # 1 - Restricted ptrace. Only child processes plus normal permissions. # 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE. # 3 - No attach. No process may call ptrace at all. Irrevocable. # # For more information see Documentation/security/Yama.txt in the # kernel sources. # # The default is 1., which allows tracing of child processes, but # forbids tracing of arbitrary processes. This allows programs like # gdb or strace to work when the most common way of having the # debugger start the debuggee is used: # gdb /path/to/program ... # Attaching to already running programs is NOT allowed: # gdb -p ... # This default setting is suitable for the common case, because it # reduces the risk that one hacked process can be used to attack other # processes. (For example, a hacked firefox process in a user session # will not be able to ptrace the keyring process and extract passwords # stored only in memory.) # # Developers and administrators might want to disable those protections # to be able to attach debuggers to existing processes. Use # sysctl kernel.yama.ptrace_scope=0 # for change the setting temporarily, or copy this file to # /etc/sysctl.d/20-yama-ptrace.conf to set it for future boots. kernel.yama.ptrace_scope = 0