I just wrote another mail to the devel mailing list that tackles also the issue you raise (sent 10:28, utc-0): the 2) point should respond to your points (especially consider the elaboration that enabling ptrace_scope might be something not bound to my proposal given that it was never approved to be disabled in the first place). Additionally, issue for users go along with many Fedora users being bound to install untrusted third party software, while we intentionally "bought" ourselves the group of "average users" and promote Fedora to be security by default for them (Arch, openSuSE, Ubuntu -> all already have ptrace_scope in place along with it being an upstream kernel default). Also, we have it regularly that we identify that some packages have not been updated for years, in seldom cases even with CVEs (though I agree that I have not yet seen a major CVE being around for years in some package). Having ptrace_scope disabled can allow malicious/untrusted/vulnerable/unupdated
tools' processes to gather e.g. credentials. But I think most of that is contained in the proposal and partly also discussed in the Discourse topic. As mentioned in my last email to the devel list, please do further communication on the Discourse topic if responses from mine are intended. Thanks :)
On 11/09/2025 21.42, Przemek Klosowski via devel wrote:
On 9/8/25 2:11 PM, Christopher Klooz wrote:
With regards to `ptrace_scope`, it seems that developers engaging in
debugging on lower abstraction layers might experience `ptrace_scope` to
hinder their capability to attach tools like `gdb` or `strace` to running
processes, but by default Fedora should not be set to a "debugging mode"
(as we also do not boot our kernel by default in debugging mode, for good
reasons), and it can be expected that people who engage in such activities
will be able to identify how to temporarily or permanently disable these
settings or to identify the relevant documentation if it exists:
documentation is the answer,
I think attaching strace (and gdb) to running userland processes is an essential debugging and performance measurement technique, and disabling it does not make sense to me, even in my security hat. I understand that you can strace only your own processes, so what is the problem in that?
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
