Cant attach GDB to process (ptrace readonly)


#1

I am trying to attach gdb to a running process and am getting the following error

“Attaching to process xxxx Could not
attach to process. If your uid
matches the uid of the target process,
check the setting of
/proc/sys/kernel/yama/ptrace_scope, or
try again as the root user. For more
details, see
/etc/sysctl.d/10-ptrace.conf ptrace:
Operation not permitted.”

So when i run the following :
echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
I get:
tee: /proc/sys/kernel/yama/ptrace_scope: Read-only file system

so i attempted to change my ptrace setting to 0 by modifying /etc/sysctl.d/10-ptrace.conf, but it doesnt seem to change anything.

Is there any workaround for this? Thanks!


#2

Hi! I’m another C9 user who found your question interesting.

I would have liked to tell you I found a solution. I gave it the ol’ college try, but unfortunately no such luck.

  • /proc/sys is indeed mounted read-only. I tried to use
    sudo mount -o rw,remount /proc/sys to change that, but got an error message. At least on this system, root is far from almighty!
  • /proc/sys is also not in /etc/fstab so I could change its mount parameters there and reboot our Dockered Linux. Maybe it’s somewhere else that I’m not aware of?
  • One recommended solution is to re-compile your kernel with this parameter set to 0 as it was before. Of course, since this Linux isn’t ours we can’t do this. Also, that would make our system a little less secure by default. This “capability” stuff was recently built into Linux for a reason.
  • The more recommended solution is to selectively set the CAP_PTRACE capability not for the whole system but for just the /usr/bin/gdb executable. That would allow gdb, but only gdb, to do the attach thing. The utility for this is setcap if I remember correctly. I tried that, but wasn’t able to. Either I (i.e. root) don’t have the capability to assign capabilities like this, or the file system doesn’t support setting capabilities as file attributes.
  • Betting on the file system, I tried to build myself a file system of my own on a loopback device that I could then format as I wished, mount, and onto which I could then copy gdb to grace it with the trace capability. No such luck, our system doesn’t “do” loop devices. Maybe that’s a no-no when running inside Docker - I found hints to that effect but no useful workaround.

This is when I gave up. The “capability” concept was intentionally built into Linux to keep people from doing the kind of thing we’re trying to do, and it seems to be watertight enough that even a root user doesn’t have the means to circumvent it.

On the one hand it’s nice to see Linux’ shiny new security concept working as designed, on the other it sucks to no longer be able to attach to processes from the outside, even as root.

I’d consider begging the gods of C9 to change the pre-baked value of ptrace.conf to 2 and giving root the CAP_SYS_PTRACE capability so that we’ll be able to gdb-attach as user root.


#3

Thanks for digging into this. Any chance anyone from c9 can shed any insight?