How to solve “ptrace operation not permitted” when trying to attach GDB to a process?

Question

I\'m trying to attach a program with gdb but it returns:

Attaching to process 29139
Could not attach to process. If your uid matches the ui

Answer 1

If you are using Docker, you will probably need these options:

docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined

Answer 2

I would like to add that I needed --security-opt apparmor=unconfined along with the options that @wisbucky mentioned. This was on Ubuntu 18.04 (both Docker client and host). Therefore, the full invocation for enabling gdb debugging within a container is:

docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --security-opt apparmor=unconfined

Answer 3

Jesup's answer is correct; it is due to Linux kernel hardening. In my case, I am using Docker Community for Mac, and in order to do change the flag I must enter the LinuxKit shell using justin cormack's nsenter (ref: https://www.bretfisher.com/docker-for-mac-commands-for-getting-into-local-docker-vm/ ).

docker run -it --rm --privileged --pid=host justincormack/nsenter1

/ # cat /etc/issue

Welcome to LinuxKit

                    ##         .
              ## ## ##        ==
           ## ## ## ## ##    ===
       /"""""""""""""""""\___/ ===
      {                       /  ===-
       \______ O           __/
         \    \         __/
          \____\_______/

/ # cat /proc/sys/kernel/yama/ptrace_scope

1

/ # echo 0 > /proc/sys/kernel/yama/ptrace_scope

/ # exit

Answer 4

Not really addressing the above use-case but I had this problem:

Problem: It happened that I started my program with sudo, so when launching gdb it was giving me ptrace: Operation not permitted.

Solution: sudo gdb ...

Answer 5

I was going to answer this old question as it is unaccepted and any other answers are not got the point. The real answer may be already written in /etc/sysctl.d/10-ptrace.conf as it is my case under Ubuntu. This file says:

For applications launching crash handlers that need PTRACE, exceptions can be registered by the debugee by declaring in the segfault handler specifically which process will be using PTRACE on the debugee: prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0);

So just do the same thing as above: keep /proc/sys/kernel/yama/ptrace_scope as 1 and add prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0); in the debugee. Then the debugee will allow debugger to debug it. This works without sudo and without reboot.

Usually, debugee also need to call waitpid to avoid exit after crash so debugger can find the pid of debugee.

Answer 6

I was running my code with higher privileges to deal with Ethernet Raw Sockets by setting set capability command in Debian Distribution. I tried the above solution: echo 0 > /proc/sys/kernel/yama/ptrace_scope or by modifying it in /etc/sysctl.d/10-ptrace.conf but that did not work for me.

Additionally, I also tried with set capabilities command for gdb in installed directory (usr/bin/gdb) and it works: /sbin/setcap CAP_SYS_PTRACE=+eip /usr/bin/gdb. Be sure to run this command with root privileges.