Linux - Debug系列之追踪
Posted 王万林 Ben
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux - Debug系列之追踪相关的知识,希望对你有一定的参考价值。
Linux - Debug系列之strace
前言
一、strace是什么?
请man strace.
二、使用方法
三、解析日志
https://github.com/johnlcf/Stana
https://pypi.org/project/strace-parser/
https://crates.io/crates/strace-parse/0.4.0
https://blog.51cto.com/u_9291927/2594065
四、常见问题
提示无权限
报错详情
thesre@HP-Z420-Workstation: ~ $ sleep 3000 &
[1] 9758
thesre@HP-Z420-Workstation: ~ $
thesre@HP-Z420-Workstation: ~ $ strace -ttTfy -p 9758
strace: Could not attach to process. If your uid matches the uid of the target process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try again as the root user. For more details, see /etc/sysctl.d/10-ptrace.conf: Operation not permitted
strace: attach: ptrace(PTRACE_SEIZE, 9758): Operation not permitted
thesre@HP-Z420-Workstation: ~ $
分析
如/etc/sysctl.d/10-ptrace.conf文件中所述
# The PTRACE system is used for debugging. With it, a single user process
# can attach to any other dumpable process owned by the same user. In the
# case of malicious software, it is possible to use PTRACE to access
# credentials that exist in memory (re-using existing SSH connections,
# extracting GPG agent information, etc).
#
# A PTRACE scope of "0" is the more permissive mode. A scope of "1" limits
# PTRACE only to direct child processes (e.g. "gdb name-of-program" and
# "strace -f name-of-program" work, but gdb's "attach" and "strace -fp $PID"
# do not). The PTRACE scope is ignored when a user has CAP_SYS_PTRACE, so
# "sudo strace -fp $PID" will work as before. For more details see:
# https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace
#
# For applications launching crash handlers that need PTRACE, exceptions can
# be registered by the debugee by declaring in the segfault handler
# specifically which process will be using PTRACE on the debugee:
# prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0);
#
# In general, PTRACE is not needed for the average running Ubuntu system.
# To that end, the default is to set the PTRACE scope to "1". This value
# may not be appropriate for developers or servers with only admin accounts.
# kernel.yama.ptrace_scope = 1
kernel.yama.ptrace_scope = 0
kernel.yama.ptrace_scope = 1时,将限制追踪工具attach到已运行的进程;
kernel.yama.ptrace_scope = 0时,则没有该限制。
因此,我们只需要修改并使其生效即可:
- 修改
/etc/sysctl.d/10-ptrace.conf中的kernel.yama.ptrace_scope = 1为kernel.yama.ptrace_scope = 0 - 执行
sudo sysctl --load=/etc/sysctl.d/10-ptrace.conf使得新配置生效
总结
文章总结。
参考资料
https://dev.to/captainsafia/say-this-five-times-fast-strace-ptrace-dtrace-dtruss-3e1b
以上是关于Linux - Debug系列之追踪的主要内容,如果未能解决你的问题,请参考以下文章