Why do I need to run as root (not r00t_)?
// main()
scan.scanProcessOffset(10838, 0x7f8c14000000); // proper pid and offset
void MemoryMapper::scanProcessOffset(unsigned int procId, unsigned long long offset)
{
long attach = ptrace(PTRACE_ATTACH, procId, NULL, NULL);
cout << attach << endl << errno << endl;
long memory = ptrace(PTRACE_PEEKDATA, procId, offset);
if (memory == -1 && errno == 3)
{
cout << errno << endl;
errno = 0;
}
cout << memory;
}
As you can see the process I’m hooking into is owned by r00t_
r00t_@:/proc/10838$ ls -l
lrwxrwxrwx 1 r00t r00t_ 0 2012-04-15 08:21 exe -> /usr/bin/gedit
-rw------- 1 r00t r00t_ 0 2012-04-15 09:04 mem
Output not running as root:
r00t_@:~/memedit$ ./a.out
-1
1
3
-1
Output as root:
r00t_@:~/memedit$ sudo ./a.out
0
0
140239607693344
why cant I attach when I am the owner of the process I’m trying to attach to?
While some applications use
prctl()to specifically disallowPTRACE_ATTACH(e.g. ssh-agent), a more general solution implemented in Yama is to only allowptracedirectly from a parent to a child process (i.e. directgdbandstracestill work), or as the root user (i.e.gdb BIN PID, andstrace -p PIDstill work as root).In the event of a local app compromise, the attacker is then not able to attach to other processes and inspect their memory and running state.
This behaviour is controlled via the
/proc/sys/kernel/yama/ptrace_scopesysctl value. The default is “1” to block non-childptracecalls. A value of “0” restores the more permissive behaviour, which may be more appropriate for development systems and/or servers with only administrative accounts. Usingsudocan also temporarily grantptracepermissions via theCAP_SYS_PTRACEcapability, though this method allows theptraceof any process.