ptrace PTRACE_ATTACH故障 - 用户拥有进程的Linux权限 [英] ptrace PTRACE_ATTACH failure - Linux permissions of user owned process

问题描述

为什么我需要以root用户身份运行（不是r00t _）？

Why do I need to run as root (not r00t_)?

// main()
scan.scanProcessOffset(10838, 0x7f8c14000000); // proper pid and offset

void MemoryMapper::scanProcessOffset(unsigned int procId, unsigned long long offset)
{
    long attach = ptrace(PTRACE_ATTACH, procId, NULL, NULL);
    cout << attach << endl << errno << endl;

    long memory = ptrace(PTRACE_PEEKDATA, procId, offset);
    if (memory == -1 && errno == 3)
    {
        cout << errno << endl;
        errno = 0;
    }

    cout << memory;
}

正如你所看到的，我挂钩的进程归r00t_

As you can see the process I'm hooking into is owned by r00t_

r00t_@:/proc/10838$ ls -l 
lrwxrwxrwx 1 r00t r00t_ 0 2012-04-15 08:21 exe -> /usr/bin/gedit
-rw------- 1 r00t r00t_ 0 2012-04-15 09:04 mem

输出不以root身份运行：

Output not running as root:

r00t_@:~/memedit$ ./a.out
-1
1
3
-1

以root身份输出：

r00t_@:~/memedit$ sudo ./a.out
0
0
140239607693344

推荐答案

虽然有些应用程序使用 prctl（）以特别禁止 PTRACE_ATTACH lwn.net/Articles/393012/rel =nofollow> Yama 只允许直接从父进程到子进程的 ptrace （即直接 gdb 和 strace 仍然可以工作），或者作为root用户（即 gdb BIN PID 和 strace -p PID 仍以root用户身份运行）。
在本地应用程序泄露的情况下，攻击者无法附加到其他进程并检查其内存和运行状态。

While some applications use prctl() to specifically disallow PTRACE_ATTACH (e.g. ssh-agent), a more general solution implemented in Yama is to only allow ptrace directly from a parent to a child process (i.e. direct gdb and strace still work), or as the root user (i.e. gdb BIN PID, and strace -p PID still work as root). In the event of a local app compromise, the attacker is then not able to attach to other processes and inspect their memory and running state.

通过 / proc / sys / kernel / yama / ptrace_scope sysctl值控制。默认值为1以阻止非子 ptrace 调用。值0恢复更宽松的行为，这可能更适合于仅具有管理帐户的开发系统和/或服务器。使用 sudo 还可以通过 CAP_SYS_PTRACE 临时授予 ptrace 能力，尽管此方法允许任何进程的 ptrace 。

This behaviour is controlled via the /proc/sys/kernel/yama/ptrace_scope sysctl value. The default is "1" to block non-child ptrace calls. A value of "0" restores the more permissive behaviour, which may be more appropriate for development systems and/or servers with only administrative accounts. Using sudo can also temporarily grant ptrace permissions via the CAP_SYS_PTRACE capability, though this method allows the ptrace of any process.

这篇关于ptrace PTRACE_ATTACH故障 - 用户拥有进程的Linux权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！