Linux – permission denied for ptrace under GDB

arch linuxgdbpermissions

I have set a super simple C program and compiled it with GCC (with the -g flag). I've tried running it with gdb a.out, set a breakpoint on main and run it, but GDB ignored my breakpoint and simply ran the entire program nonstop.

On my questions in SO they told me to run it with strace and grep for failed calls to ptrace. I did so and got:

5765 ptrace(PTRACE_TRACEME, 0, 0, 0) = -1 EPERM (Operation not permitted)

When I'm trying to run gdb with sudo it works fine, so it's definitely a permissions problem. I've also tried reinstalling GDB, hoping it'll re-set the permissions, but it didn't help. Here are the groups and permissions for GDB and for the executable I'm trying to debug:

-rwxr-xr-x 1 idanarye users 7797 Dec 28 04:52 ./a.out
-rwxr-xr-x 1 root root 5206304 Aug 31 07:10 /usr/bin/gdb

I tried googling for this problem, but all I could find is another problem where GDB fails to attach to running processes due a to a new security rule that prevents ptracing another process unless it's a child process. This is not the problem here, since I let GDB start the process I want to debug. I've tried the suggested solution(changing /proc/sys/kernel/yama/ptrace_scope) anyways and it didn't work.

What am I missing here? What permissions do I need to give and to what?

I'm running a 64bit ArchLinux.

UPDATE

No idea how or why, but it works now. Probably a system update fixed it…

Best Answer

I don't think the permission denied is necessarily talking about the traditional permissions bits (rwx..), rather I'd be suspicious of something like SELinux or AppArmor which might be denying your process access.

I do not have access to a ArchLinux system but there is something similar under Fedora that is discussed here in this Fedora Wiki topic: Features/SELinuxDenyPtrace.

Here they're blocking access to ptrace through SELinux, so you might want to try disabling either SELinux or AppArmor is ArchLinux happens to be using either.

What your attempting worked for me

I tried you code on my Fedora 19 system and other than needing to install some addtional debuginfo RPMs it worked as you'd expect it to.

Example

Compiled your code.

$ gcc -g test.c

Ran the resulting binary in gdb.

$ gdb a.out 
GNU gdb (GDB) Fedora 7.6.1-46.fc19
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/saml/tst/106912/a.out...done.
(gdb) break main
Breakpoint 1 at 0x40053f: file test.c, line 4.
(gdb) run
Starting program: /home/saml/tst/106912/a.out 

Breakpoint 1, main (argc=1, argv=0x7fffffffd698) at test.c:4
4       printf("1\n");
Missing separate debuginfos, use: debuginfo-install glibc-2.17-20.fc19.x86_64
(gdb) quit
A debugging session is active.

    Inferior 1 [process 13341] will be killed.

Quit anyway? (y or n) y

The debugger complained that I was missing the debuginfos for glibc so I installed them.

$ sudo debuginfo-install glibc-2.17-20.fc19.x86_64

Now when I re-run gdb.

$ gdb a.out 
GNU gdb (GDB) Fedora 7.6.1-46.fc19
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/saml/tst/106912/a.out...done.
(gdb) break main
Breakpoint 1 at 0x40053f: file test.c, line 4.
(gdb) run
Starting program: /home/saml/tst/106912/a.out 

Breakpoint 1, main (argc=1, argv=0x7fffffffd698) at test.c:4
4       printf("1\n");
(gdb)