• Ptrace_scope的作用及设置


    echo "0"|sudo tee /proc/sys/kernel/yama/ptrace_scope

    Short answer: no practical danger yet, but read on for a better way...


    What's this ptrace thing anyway?

    this is due to a bug in the Ubuntu kernel that prevents ptrace and WINE playing well together.

    • No, ptrace protection is a deliberate kernel security measure first introduced around Ubuntu 10.10. It's not a bug, and so isn't going to be "fixed".

    • In simple terms, the default ptrace_scope value of 1 blocks one process from examining and modifying another process unless the second process (child) was started by the first process (parent).

    • This can cause problems with some programs under Wine because of the way wineserver provides "Windows Services" to these programs.

    What are the risks in setting ptrace_scope to 0?

    • This restores the old behavior where one process can "trace" another process, even if there is no parent-child relationship.

    • In theory, a piece of malware can use this to harm you/your computer; e.g. it can attach to Firefox and log all of your URLs/passwords, etc. In practice this is extremely unlikely unless you blindly install binary debs from random sites, etc.

    • As far as debugging goes, the 0 settings is in fact required for gdb, strace, etc. to attach to non-children unless you run them with elevated privileges (sudo).

    What are the problems with the workaround?

    • The workaround is somewhat problematic because ptrace_scope is a global value, and while it's set to 0, all processes on your system are exempt from the non-child restriction.
    • If you use the workaround, put it in a simple bash script that enables it, runs your Windows program and then disables (sets to 1) on exit.
      • DO NOT make ptrace_scope world-writable (666) as the forum post recommends -- that is a huge security risk because now any process can change it at will!

    Is there a better solution?

    • A better solution which is more secure and does not require repetitively modifying ptrace_scope is to grant Wineserver ptrace capabilities.

      • In a terminal:

        sudo apt-get install libcap2-bin 
        sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
        sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
        
      • This exempts the wineserver and wine-preloader binaries from the non-child ptrace restriction, and allows them to ptrace any process.

      • It only needs to be done once, and is safer because these binaries are usually from a trusted source - the official repositories or the official Wine PPA, so they aren't going to be malware.

    If you're using Crossover

    Install libcap2:

    sudo apt-get install libcap2-bin;
    

    Then, add an exception for Crossover:

    sudo setcap cap_sys_ptrace=eip /opt/cxoffice/bin/wineserver;
    sudo setcap cap_sys_ptrace=eip /opt/cxoffice/bin/wine-preloader;
    

    Finally, add its libraries to ld.so.conf (or you will get "error while loading shared libraries: libwine.so.1: cannot open shared object file: No such file or directory"):

    echo /opt/cxoffice/lib/ | sudo tee /etc/ld.so.conf.d/crossover.conf
    sudo /sbin/ldconfig
  • 相关阅读:
    HDOJ2003求绝对值
    HDOJ2002计算球体积
    jsp input 限制只可输入时分秒 My97DatePicker
    BigDecimal格式化
    官方 Animator 例子解析 Animator.MatchTarget
    LoadAssetAtPath 与 Load 的区别
    SQLite 学习流水账笔记
    Unity3D Development模式下的一个小问题
    Sqlitekit 封装管理
    PhotoshopCS4轻松将PSD分层导出为Png分层
  • 原文地址:https://www.cnblogs.com/cane/p/3909420.html
Copyright © 2020-2023  润新知