diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c index 793fc44eb..29098ba71 100644 --- a/agent/gpg-agent.c +++ b/agent/gpg-agent.c @@ -48,6 +48,9 @@ # include #endif #include +#ifdef HAVE_PRCTL +# include +#endif #define GNUPG_COMMON_NEED_AFLOCAL #include "agent.h" @@ -1013,6 +1016,11 @@ main (int argc, char **argv ) early_system_init (); +#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) + /* Disable ptrace on Linux without sgid bit */ + prctl(PR_SET_DUMPABLE, 0); +#endif + /* Before we do anything else we save the list of currently open file descriptors and the signal mask. This info is required to do the exec call properly. We don't need it on Windows. */ diff --git a/configure.ac b/configure.ac index 65ae52336..19cf8e86c 100644 --- a/configure.ac +++ b/configure.ac @@ -1395,7 +1395,7 @@ AC_CHECK_FUNCS([atexit canonicalize_file_name clock_gettime ctermid \ ftruncate funlockfile getaddrinfo getenv getpagesize \ getpwnam getpwuid getrlimit getrusage gettimeofday \ gmtime_r inet_ntop inet_pton isascii lstat memicmp \ - memmove memrchr mmap nl_langinfo pipe raise rand \ + memmove memrchr mmap nl_langinfo pipe prctl raise rand \ setenv setlocale setrlimit sigaction sigprocmask \ stat stpcpy strcasecmp strerror strftime stricmp \ strlwr strncasecmp strpbrk strsep strtol strtoul \ diff --git a/scd/scdaemon.c b/scd/scdaemon.c index 8cbd0ee08..ff343aa7b 100644 --- a/scd/scdaemon.c +++ b/scd/scdaemon.c @@ -36,6 +36,9 @@ #include #include #include +#ifdef HAVE_PRCTL +# include +#endif #define GNUPG_COMMON_NEED_AFLOCAL #include "scdaemon.h" @@ -443,6 +446,12 @@ main (int argc, char **argv ) npth_t pipecon_handler; early_system_init (); + +#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) + /* Disable ptrace on Linux without sgid bit */ + prctl(PR_SET_DUMPABLE, 0); +#endif + set_strusage (my_strusage); gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN); /* Please note that we may running SUID(ROOT), so be very CAREFUL