CODEWITHSUNDEEP
permissionsstrace
user150497
user150497

Reputation: 532

strace -f strace /bin/ls failed with PTRACE_TRACEME EPERM (Operation not permitted)

When I run

strace -f strace /bin/ls

to know how strace work it failed with 

ptrace(PTRACE_TRACEME, 0, 0, 0) = -1 EPERM (Operation not permitted)

even with root account.

It there any solution for this?

Upvotes: 15

Views: 10211

Answers (3)

Pauli Nieminen
Pauli Nieminen

Reputation: 1120

ptrace system call is limited only one tracing application per process.

man ptrace:

  EPERM  The  specified  process cannot be traced.  This could be because the tracer has insuffi‐
         cient privileges (the required capability  is  CAP_SYS_PTRACE);  unprivileged  processes
         cannot  trace  processes  that  they  cannot  send signals to or those running set-user-
         ID/set-group-ID programs, for obvious reasons.  Alternatively, the process  may  already
         be being traced, or (on kernels before 2.6.26) be init(1) (PID 1).

This means only a debug application can attach to same process. When you done strace -f you tell it to attach all process started by program debugged. In your case strace call fork to create a new process and setups the new process for debugging using ptrace system call. Then it calls exec with parameters you provide to the call. This then start strace again which tries to do fork and ptrace again. But the second ptrace fails with EPERM because first strace has already attached to the process.

Running first strace without -f parameter allows you to trace the first thread from second strace while second strace is tracing the ls.

strace strace -f ls

There is -b to detach from lwp when a specific syscall is made but it only supports execve. If there was a ptrace call support it would be perfect. That means strace either needs a small patch to support ptrace call.

Alternative potential hacks include preloaded library which implements detaching with some trickery.

Better alternative would be using tracing tool systemtap or trace-cmd which can use kernel provided tracing infrastructure instead of ptrace.

Upvotes: 3

kenorb
kenorb

Reputation: 166409

Docker

When running strace within Docker container, to enable ptrace, run with SYS_PTRACE param:

docker run -it --cap-add SYS_PTRACE ubuntu

See: Running Strace in Docker.

Upvotes: 19

Joe Damato
Joe Damato

Reputation: 1646

I mention this and more helpful tips in a recent blog post about strace.

You need to enable support for gdb, strace, and similar tools to attach to processes on the system.

You can do this temporarily by running command to set a setting proc:

sudo bash -c 'echo 0 > /proc/sys/kernel/yama/ptrace_scope'

You can persist that setting between system reboots by modifying /etc/sysctl.d/10-ptrace.conf and setting kernel.yama.ptrace_scope = 0.

If your system does not have /etc/sysctl.d/10-ptrace.conf, you can modify /etc/sysctl.conf and set kernel.yama.ptrace_scope = 0.

Upvotes: 2

Related Questions