warning: Error disabling address space randomization: Operation not permitted
Solution 1
If you're using Docker, you probably need the --security-opt seccomp=unconfined
option (as well as enabling ptrace):
docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined
Solution 2
For whatever reason, your user account doesn't have permission to disable the kernel's address space layout randomisation for this process. By default, gdb turns this off because it makes some sorts of debugging easier (in particular, it means the address of stack objects will be the same each time you run your program). Read more here.
You can work around this problem by disabling this feature of gdb with set disable-randomization off
.
As for getting your user the permission needed to disable ASLR, it probably boils down to having write permission to /proc/sys/kernel/randomize_va_space
. Read more here.
Solution 3
Building on wisbucky's answer (thank you!), here are the same settings for Docker compose:
security_opt:
- seccomp:unconfined
cap_add:
- SYS_PTRACE
The security option seccomp:unconfined
fixed the address space randomization
warnings.
The capability SYS_PTRACE didn't seem to have a noticeable effect even though the Docker documentation states that SYS_PTRACE is a capability that is "not granted by default". Perhaps I don't know what to look for.
Jas
Updated on September 01, 2020Comments
-
Jas almost 4 years
what have i done wrong (or didn't do) that
gdb
is not working properly for me?root@6be3d60ab7c6:/# cat minimal.c int main() { int i = 1337; return 0; } root@6be3d60ab7c6:/# gcc -g minimal.c -o minimal root@6be3d60ab7c6:/# gdb minimal GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 . . . Reading symbols from minimal...done. (gdb) break main Breakpoint 1 at 0x4004f1: file minimal.c, line 3. (gdb) run Starting program: /minimal warning: Error disabling address space randomization: Operation not permitted During startup program exited normally. (gdb) (gdb) print i No symbol "i" in current context.
-
VorpalSword about 6 yearsthanks for this - I've no idea how much time I'd've lost learning this the hard way!
-
parched over 5 yearsI think
--cap-add=SYS_PTRACE
is only needed when attachinggdb
to an already running process. -
Ra'Jiska almost 5 yearsCould you provide the security issues using these options might involve ?
-
sh.3.ll about 4 yearsIs there a way to apply this command to an already running instance? Because I don't want to remove this instance and start a new one
-
Marc43 almost 4 yearsYOu have a typo, it is unconfined not unconfirmed