In good old days we don’t have much malwares in Linux systems. But when the popularity of Linux increased, similarly malwares and trojans also increased too.
In a traditional Unix like system,
ptrace system call allows any process can trace and take control of other processes which has ability to send signal to it. This system call exists from 4.3BSD and SVr4.
As a negative effect of this system call, if a malware exists in your system, it can take full control of all other running processes which has permission to send signal and capture sensitive information from your system.
This is not a bug, it is a design issue. It is also possible to prevent your program being traced by using Linux specific
prctl call and clear
PR_SET_DUMPABLE flag, which OpenSSH agent in your system already does.
But, not many programmers aware of this behaviour. So, when looking at the Linux distributions perspective, it is good to activate additional protection mechanism on
ptrace system call to make more secure system without need to change of any software code.
Newer Linux kernels has the Yama security module. When the Yama is built into the kernel, its behaviour can be changed through
If you’re trying to use strace to attach another process which is also belongs to you but you’re not a parent of it and the value in
ptrace_scope file greater than 0, it is normal to get “Operation not permitted” error.
Some recent Linux distributions sets
ptrace_scope value to 1 in default. You can still use strace in this scenario with starting the programs with strace like below:
$ strace ./my_prog
but you can not attach a process which is already started and has different parent of your newly executed strace.
You can learn other values of
ptrace_scope and vulnerabilities of current implementation from: https://www.kernel.org/doc/Documentation/security/Yama.txt