Ah, Kees is right. I had this in my mind when I created the original approach with "setgid noptrace" binaries [1] [2], since a user cannot copy setgid binaries with keeping the sgid bit, and the programs could check whether they are setgid.
Seems I failed to write this down explicitly, and thus just forgot about this when the Debian guys convinced me to not use this. So I think we are back to using prctl(SET_DUMPABLE, 0). It is subject to race conditions, but then the entire desktop security model is subject to all sorts of threats (spoofing being the most important one), so it's a reasonable compromise. I'll close this now. Sorry for the noise, and thanks for reminding me. :) [1] https://wiki.ubuntu.com/DesktopTeam/Specs/PolicyKitIntegration [2] http://lists.debian.org/debian-devel/2007/12/msg00216.html ** Changed in: apparmor (Ubuntu) Status: New => Invalid -- Should provide a flag to disable ptrace()/LD_PRELOAD https://bugs.launchpad.net/bugs/176301 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs