How to disable Ptrace on CloudLinux OS Shared environment? Let’s explore the solution with this article. Bobcares, as a part of our Server Management Services, offers solutions to every query that comes our way.

How to disable Ptrace on the CloudLinux environment?

Ptrace or Process trace is a debugging function that allows one process to connect to another. It also monitors or changes its memory and running state. The ptrace() system function allows one process (the “tracer”) to monitor and control the execution of another process (the “tracee”). Also, it allows us to view and change the tracee’s memory and registers. It’s mostly used for breakpoint debugging and system call tracing.

Unprivileged users can use the ptrace() to get privileged access by exploiting a privileged app while it is running a privileged operation. This may allow an attacker to connect to and thereby change a running setuid process using ptrace or other functions. The attacker is now able to run his own code with admin access. As a result, every Linux product that relies on this kernel is vulnerable.

Solution

The ptrace() is active by default in CloudLinux OS Shared. The default is set as:

kernel.user_ptrace = 1
kernel.user_ptrace_self = 1

We can use the kernel.user_ptrace to turn off the PTRACE_ATTACH. And we can use the kernel.user_ptrace_self to turn off the PTRACE_TRACEME.

However, we have to change both sysctl options to 0, and we must add this into the /etc/sysctl.conf.

## CL. Disable ptrace for users
kernel.user_ptrace = 0
kernel.user_ptrace_self = 0
##

Then we have to apply these changes made using $ sysctl -p

There will be just partial ptrace protection in this instance. Different software may need different levels of access to the ptrace. We may just need to change one parameter to 0 to get them to work.

[Looking for a solution to another query? We’re available 24/7.]

Conclusion

In this article, we have included a simple step to disable the ptrace() on a CloudLinux OS shared environment.