ptrace PTRACE_ATTACH故障 - 用户拥有进程的Linux权限 [英] ptrace PTRACE_ATTACH failure - Linux permissions of user owned process
问题描述
为什么我需要以root用户身份运行(不是r00t _)?
Why do I need to run as root (not r00t_)?
// main()
scan.scanProcessOffset(10838, 0x7f8c14000000); // proper pid and offset
void MemoryMapper::scanProcessOffset(unsigned int procId, unsigned long long offset)
{
long attach = ptrace(PTRACE_ATTACH, procId, NULL, NULL);
cout << attach << endl << errno << endl;
long memory = ptrace(PTRACE_PEEKDATA, procId, offset);
if (memory == -1 && errno == 3)
{
cout << errno << endl;
errno = 0;
}
cout << memory;
}
正如你所看到的,我挂钩的进程归r00t_
As you can see the process I'm hooking into is owned by r00t_
r00t_@:/proc/10838$ ls -l
lrwxrwxrwx 1 r00t r00t_ 0 2012-04-15 08:21 exe -> /usr/bin/gedit
-rw------- 1 r00t r00t_ 0 2012-04-15 09:04 mem
输出不以root身份运行:
Output not running as root:
r00t_@:~/memedit$ ./a.out
-1
1
3
-1
以root身份输出:
r00t_@:~/memedit$ sudo ./a.out
0
0
140239607693344
推荐答案
虽然有些应用程序使用 prctl()
以特别禁止 PTRACE_ATTACH lwn.net/Articles/393012/rel =nofollow> Yama 只允许直接从父进程到子进程的 ptrace
(即直接 gdb
和 strace
仍然可以工作),或者作为root用户(即 gdb BIN PID
和
strace -p PID
仍以root用户身份运行)。
在本地应用程序泄露的情况下,攻击者无法附加到其他进程并检查其内存和运行状态。
While some applications use prctl()
to specifically disallow PTRACE_ATTACH
(e.g. ssh-agent), a more general solution implemented in Yama is to only allow ptrace
directly from a parent to a child process (i.e. direct gdb
and strace
still work), or as the root user (i.e. gdb BIN PID
, and strace -p PID
still work as root).
In the event of a local app compromise, the attacker is then not able to attach to other processes and inspect their memory and running state.
通过 / proc / sys / kernel / yama / ptrace_scope
sysctl值控制。默认值为1以阻止非子 ptrace
调用。值0恢复更宽松的行为,这可能更适合于仅具有管理帐户的开发系统和/或服务器。使用 sudo
还可以通过 CAP_SYS_PTRACE
临时授予 ptrace
能力,尽管此方法允许任何进程的 ptrace
。
This behaviour is controlled via the /proc/sys/kernel/yama/ptrace_scope
sysctl value. The default is "1" to block non-child ptrace
calls. A value of "0" restores the more permissive behaviour, which may be more appropriate for development systems and/or servers with only administrative accounts. Using sudo
can also temporarily grant ptrace
permissions via the CAP_SYS_PTRACE
capability, though this method allows the ptrace
of any process.
这篇关于ptrace PTRACE_ATTACH故障 - 用户拥有进程的Linux权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!