[arch-general] possible root cause using Firefox
Travis Evans
travisgevans at gmail.com
Wed Apr 27 16:08:42 UTC 2016
On 27/04/16 07:22, Elmar Stellnberger wrote:
[...]
> It says "operation not permitted" here when trying to ptrace firefox
> which was launched just normally as always as user elm. Nonetheless it
> was possible to backtrace the hanging frifeox-instance as user root as
> you can see in the P.S.-section.
> There are two things which I would like to say about it:
>
> * Firefox did apparently not only crash but acquire root privileges by
> doing so; otherwise it would not have needed user root to backtrace
> firefox (there is no SELinux, Apparmor or anything else running here; it
> is a plain Arch-installation)
I believe it's standard (for security reasons) in recent kernels to
require root to trace any process that isn't a direct child of the
tracer, even if the process is owned by the same user. This has been
true for me on Arch Linux as well as Ubuntu. It doesn't necessarily mean
Firefox gained root privileges. Try it on any other running user
process, and you'll probably get the same behavior.
I believe there's a knob (/proc/sys/kernel/yama/ptrace_scope) that
controls this restriction.
--
Travis Evans
More information about the arch-general
mailing list