warning: Error disabling address space randomization: Operation not permitted

c docker gdb
36,670

Solution 1

If you're using Docker, you probably need the --security-opt seccomp=unconfined option (as well as enabling ptrace):

docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined

Solution 2

For whatever reason, your user account doesn't have permission to disable the kernel's address space layout randomisation for this process. By default, gdb turns this off because it makes some sorts of debugging easier (in particular, it means the address of stack objects will be the same each time you run your program). Read more here.

You can work around this problem by disabling this feature of gdb with set disable-randomization off.

As for getting your user the permission needed to disable ASLR, it probably boils down to having write permission to /proc/sys/kernel/randomize_va_space. Read more here.

Solution 3

Building on wisbucky's answer (thank you!), here are the same settings for Docker compose:

security_opt:
  - seccomp:unconfined
cap_add:
  - SYS_PTRACE

The security option seccomp:unconfined fixed the address space randomization warnings.

The capability SYS_PTRACE didn't seem to have a noticeable effect even though the Docker documentation states that SYS_PTRACE is a capability that is "not granted by default". Perhaps I don't know what to look for.

Share:
36,670
Jas
Author by

Jas

Updated on September 01, 2020

Comments

  • Jas
    Jas almost 4 years

    what have i done wrong (or didn't do) that gdb is not working properly for me?

    root@6be3d60ab7c6:/# cat minimal.c 
int main()
{
  int i = 1337;
  return 0;
}
root@6be3d60ab7c6:/# gcc -g minimal.c -o minimal
root@6be3d60ab7c6:/# gdb minimal
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
.
.
.
Reading symbols from minimal...done.
(gdb) break main
Breakpoint 1 at 0x4004f1: file minimal.c, line 3.
(gdb) run
Starting program: /minimal 
warning: Error disabling address space randomization: Operation not permitted
During startup program exited normally.
(gdb) 
(gdb) print i   
No symbol "i" in current context.
  • VorpalSword
    VorpalSword about 6 years
    thanks for this - I've no idea how much time I'd've lost learning this the hard way!
  • parched
    parched over 5 years
    I think --cap-add=SYS_PTRACE is only needed when attaching gdb to an already running process.
  • Ra'Jiska
    Ra'Jiska almost 5 years
    Could you provide the security issues using these options might involve ?
  • sh.3.ll
    sh.3.ll about 4 years
    Is there a way to apply this command to an already running instance? Because I don't want to remove this instance and start a new one
  • Marc43
    Marc43 almost 4 years
    YOu have a typo, it is unconfined not unconfirmed

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to reload gdbinit?
GDB creating a core file
what does -0x4(%rbp) means in gdb disassembly?
How can I gdb attach to a process running in a docker container?
Debugging a program that uses SIGINT with gdb
Printing string pointed to from Register in GDB
accessing command-line arguments with gdb
GNU gdb how to show source file name and lines of a symbol
GDB debugger problems - No source file named
"Source file is more recent than executable" except it isn't