Bug#712663: marked as done (gdb with pid argument doesn't work (ptrace: Operation not permitted))

Tue, 18 Jun 2013 11:25:30 -0700 

Your message dated Tue, 18 Jun 2013 14:22:16 -0400
with message-id 
<CAJYzjmdNB1UgE00ASxHdzBqHWvzxLJphYvEtmCJyOwtDh=s...@mail.gmail.com>
and subject line Re: Bug#712663: gdb with pid argument doesn't work
has caused the Debian Bug report #712663,
regarding gdb with pid argument doesn't work (ptrace: Operation not permitted)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
712663: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712663
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: gdb
Version: 7.6-3
Severity: normal

According to the gdb(1) man page:

  You can, instead, specify a process ID as a second argument, if you
  want to debug a running process:

  gdb program 1234

  would attach GDB to process 1234 (unless you also have a file named
  `1234'; GDB does check for a core file first).

but this doesn't work:

ypig:~> gdb =iceweasel 29743
GNU gdb (GDB) 7.6-debian
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/lib/iceweasel/iceweasel...Reading symbols from 
/usr/lib/debug/usr/lib/iceweasel/iceweasel...done.
done.
Attaching to program: /usr/lib/iceweasel/iceweasel, process 29743
ptrace: Operation not permitted.
/home/vlefevre/29743: No such file or directory.
(gdb) 

I wonder what gdb is trying to do, but the error messages are no clear.
Does it fail because /home/vlefevre/29743 doesn't exist???

I don't know about ptrace, but I'm using a standard Debian kernel
(linux-image-3.9-1-amd64 Debian package).

FYI:

ypig:~> ll /proc/29743
total 0
dr-xr-xr-x  2 vlefevre vlefevre 0 2013-06-18 14:16:22 attr/
-rw-r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 autogroup
-r--------  1 vlefevre vlefevre 0 2013-06-18 14:16:22 auxv
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:13:14 cgroup
--w-------  1 vlefevre vlefevre 0 2013-06-18 14:16:22 clear_refs
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:12:02 cmdline
-rw-r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 comm
-rw-r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 coredump_filter
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 cpuset
lrwxrwxrwx  1 vlefevre vlefevre 0 2013-06-18 14:16:22 cwd -> /home/vlefevre/
-r--------  1 vlefevre vlefevre 0 2013-06-18 14:16:22 environ
lrwxrwxrwx  1 vlefevre vlefevre 0 2013-06-18 14:16:22 exe -> 
/usr/lib/iceweasel/iceweasel*
dr-x------  2 vlefevre vlefevre 0 2013-06-18 14:12:18 fd/
dr-x------  2 vlefevre vlefevre 0 2013-06-18 14:16:22 fdinfo/
-r--------  1 vlefevre vlefevre 0 2013-06-18 14:13:14 io
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 limits
-rw-r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 loginuid
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:12:02 maps
-rw-------  1 vlefevre vlefevre 0 2013-06-18 14:16:22 mem
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:12:02 mountinfo
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 mounts
-r--------  1 vlefevre vlefevre 0 2013-06-18 14:16:22 mountstats
dr-xr-xr-x  6 vlefevre vlefevre 0 2013-06-18 14:16:22 net/
dr-x--x--x  2 vlefevre vlefevre 0 2013-06-18 14:16:22 ns/
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 numa_maps
-rw-r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 oom_adj
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 oom_score
-rw-r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 oom_score_adj
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 pagemap
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 personality
lrwxrwxrwx  1 vlefevre vlefevre 0 2013-06-18 14:16:22 root -> //
-rw-r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 sched
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 sessionid
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 smaps
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 stack
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:12:06 stat
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:13:14 statm
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:12:18 status
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 syscall
dr-xr-xr-x 39 vlefevre vlefevre 0 2013-06-18 14:12:06 task/
-r--r--r--  1 vlefevre vlefevre 0 2013-06-18 14:16:22 wchan

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.9-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gdb depends on:
ii  gdbserver     7.6-3
ii  libc6         2.17-5
ii  libexpat1     2.1.0-3
ii  liblzma5      5.1.1alpha+20120614-2
ii  libncurses5   5.9+20130608-1
ii  libpython2.7  2.7.5-6
ii  libreadline6  6.2+dfsg-0.1
ii  libtinfo5     5.9+20130608-1
ii  zlib1g        1:1.2.8.dfsg-1

Versions of packages gdb recommends:
ii  libc6-dbg [libc-dbg]  2.17-5

Versions of packages gdb suggests:
ii  gdb-doc  7.6-1

-- no debconf information

--- End Message ---
--- Begin Message --- 
On Tue, Jun 18, 2013 at 8:51 AM, Vincent Lefevre <[email protected]> wrote:

> On 2013-06-18 14:25:59 +0200, Vincent Lefevre wrote:
> > I don't know about ptrace, but I'm using a standard Debian kernel
> > (linux-image-3.9-1-amd64 Debian package).
>
> For the ptrace problem, it could be related to that:
>
>
> https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace%20Protection
>
> and indeed:
>
> ypig:~> cat /proc/sys/kernel/yama/ptrace_scope
> 1
>
> Setting it to 0 is obviously not the right thing to do. The solution
> must be implemented in gdb (e.g. by being suid root and dropping
> permissions when possible... or something else...).
>
> Running iceweasel from gdb may be a workaround, but this may be too
> late (e.g. to get a backtrace of some frozen process).
>

Allowing GDB to attach to running processes in this manner would almost
completely undermine the ptrace protection, though: baddies could then just
make gdb do their dirty work for them, especially now that we have Python
scripting ...

So we won't be giving anyone a false sense of security this way.

(Besides which, I believe it would be a LOT of work to restructure GDB to
allow this without also accidentally allowing users to do evil things like
attaching to system daemons, writing to system files, etc.)

--- End Message ---

Reply via email to