[arch-general] possible root cause using Firefox

Travis Evans travisgevans at gmail.com
Wed Apr 27 16:08:42 UTC 2016

On 27/04/16 07:22, Elmar Stellnberger wrote:
>    It says "operation not permitted" here when trying to ptrace firefox
> which was launched just normally as always as user elm. Nonetheless it
> was possible to backtrace the hanging frifeox-instance as user root as
> you can see in the P.S.-section.
>    There are two things which I would like to say about it:
> * Firefox did apparently not only crash but acquire root privileges by
> doing so; otherwise it would not have needed user root to backtrace
> firefox (there is no SELinux, Apparmor or anything else running here; it
> is a plain Arch-installation)

I believe it's standard (for security reasons) in recent kernels to 
require root to trace any process that isn't a direct child of the 
tracer, even if the process is owned by the same user. This has been 
true for me on Arch Linux as well as Ubuntu. It doesn't necessarily mean 
Firefox gained root privileges. Try it on any other running user 
process, and you'll probably get the same behavior.

I believe there's a knob (/proc/sys/kernel/yama/ptrace_scope) that 
controls this restriction.

Travis Evans

More information about the arch-general mailing list