On Tue, Sep 16, 2025 at 11:26:22AM +0200, Florian Weimer wrote: > * Christopher Klooz: > > > Even if the proposal would be implemented with ptrace_scope being 2, > > you would **not** need to reboot to change the ptrace_scope condition > > -> `sysctl kernel.yama.ptrace_scope=0` would temporarily disable it > > (immediately!) without reboot. > > You can also run strace and gdb as root, where the restrictions do not > apply. It's simpler than fiddling with the sysctl, I think. > > I expect that the net effect of this change will be that quite a few of > us run these tools as root. From a security perspective, it doesn't > matter because our machines tend to be single-user anyway, but there's > definitely a trade-off here.
We should think broader than just the security perspective. When I'm triaging a bug report and need to get more info from the end user, I'd rather not be telling them to run debugging commands as root if the process to be debugged wasn't root. This reduces the risk of mistakes causing further problems. It has been better that we no longer need to tell users to become root to install debuginfo RPMs now that we have debuginfod integrated out of the box. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
