ptrace Block

Navigation:  Kernel Settings >

ptrace Block

Previous pageReturn to chapter overviewNext page

Starting with kernel 3.10.0-427.18.s2.lve1.4.21 (CloudLinux 7) and 2.6.32-673.26.1.lve1.4.17 (CloudLinux 6) we re-implemented ptrace block to protect against ptrace family of vulnerabilities. It prevents end user from using any ptrace related functionality, including such commands as strace, lsof or gdb.

 

By default, CloudLinux doesn't prevent ptrace functionality.

 

Defaults:

 

kernel.user_ptrace = 1

kernel.user_ptrace_self = 1

 

The option kernel.user_ptrace disables PTRACE_ATTACH functionality, option kernel.user_ptrace_self disables PTRACE_TRACEME.

 

To disable all ptrace functionality change both sysctl options to 0, add this section to /etc/sysctl.conf:

 

## CL. Disable ptrace for users

kernel.user_ptrace = 0

kernel.user_ptrace_self = 0

##

 

Apply changes with:

 

$ sysctl -p

 

Different software could need different access to ptrace, you may need to change only one option to 0 to make them working. In this case, there will be only partial ptrace protection.

 

* ptrace protection is known to break PSA service for Plesk 11