Uploaded image for project: 'Qt Creator'
  1. Qt Creator
  2. QTCREATORBUG-3509

ptrace: Operation not permitted when attaching gdb to application run in terminal

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P2: Important
    • Qt Creator 3.2.0-beta1
    • Qt Creator 2.0.1
    • Debugger
    • None
    • Ubuntu 10.10 amd64
      Ubuntu 12.04 64-bit
      Debian >= Wheezy
    • a075bad97f281a47d341498e730057e868621d81

    Description

      This happens on Ubuntu from version 10.10 (see https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace Protection) when debugging console project with "run in terminal" option enabled.

      Here are commented contents of /etc/sysctl.d/10-ptrace.conf :

      The PTRACE system is used for debugging. With it, a single user process
      can attach to any other dumpable process owned by the same user. In the
      case of malicious software, it is possible to use PTRACE to access
      credentials that exist in memory (re-using existing SSH connections,
      extracting GPG agent information, etc).

      A PTRACE scope of "0" is the more permissive mode. A scope of "1" limits
      PTRACE only to direct child processes (e.g. "gdb name-of-program" and
      "strace -f name-of-program" work, but gdb's "attach" and "strace -fp $PID"
      do not). The PTRACE scope is ignored when a user has CAP_SYS_PTRACE, so
      "sudo strace -fp $PID" will work as before. For more details see:
      https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace

      For applications launching crash handlers that need PTRACE, exceptions can
      be registered by the debugee by declaring in the segfault handler
      specifically which process will be using PTRACE on the debugee:
      prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0);

      In general, PTRACE is not needed for the average running Ubuntu system.
      To that end, the default is to set the PTRACE scope to "1". This value
      may not be appropriate for developers or servers with only admin accounts.

      Does second to last paragraph perhaps include possible fix?

      Temporary workaround (note that this introduces security risk to your system, see Ubuntu wiki page linked above for details):
      In /etc/sysctl.d/10-ptrace.conf change value of kernel.yama.ptrace_scope to 0. This file is read at startup time so you will need to reboot to apply change.
      You can also set ptrace_scope to 0 for current session only (it will revert back to 1 after rebooting) like this:

       echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. QTCREATORBUG-4564 debugging with run in terminal fails with restricted ptrace on ubuntu 10.10

          • Not Evaluated - Not yet evaluated/prioritized
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              orgads Orgad Shaneh
              pivo David Beer
              Votes:
              35 Vote for this issue
              Watchers:
              33 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes