previous: >>108422331#define __NR_ptrace 101we've got the mother of all syscalls on our hands today. to the point where i'm even mixing up the thread format to account for it.first of all, let me tell you, as someone who has read through both extensively, the documentation (at least as of the time i read it) on man7 and die were not the same. each had useful information present that the other did not. so you should absolutely read both, cover to cover:https://man7.org/linux/man-pages/man2/ptrace.2.htmlhttps://linux.die.net/man/2/ptraceseriously, read through those entirely before posting. this syscall is fiendishly complex, and if i'm being honest it's really difficult to work with it without extensive practice.i'll include some other resources for those of you who are interested in learning more:https://tartanllama.xyz/posts/writing-a-linux-debugger/setup/https://stackoverflow.com/questions/18577956/how-to-use-ptrace-to-get-a-consistent-view-of-multiple-threadshttps://stackoverflow.com/questions/5477976/how-to-ptrace-a-multi-threaded-applicationhttps://web.archive.org/web/20180320073005/https://www.linuxjournal.com/article/6100https://web.archive.org/web/20180317081836/https://www.linuxjournal.com/article/6210i remembered that tartanllama blog series, and was trying to find it for a while, but that proved really difficult (that shit is NOT search engine optimized, let me tell you), so you'd better be thankful! you should definitely look at the cited sources for it, too, because some of those are also pretty good:https://eli.thegreenplace.net/2011/01/23/how-debuggers-work-part-1https://t-a-w.blogspot.com/2007/03/how-to-code-debuggers.htmli'll go ahead and include some questions to start us off, so that this thread isn't just a total resource dump: - have you ever used ptrace before? if so, in what circumstances? - do you have any tips and tricks for others who might want to use the syscall? pitfalls to avoid? - have you ever seen someone else use ptrace, or else used a tool that makes use of it? (EVERYONE should be able to answer yes to this question) - PTRACE_ATTACH or PTRACE_SEIZE? personally, i'm an attach girlie, but i can definitely see the argument in favor of seize. oh, i guess PTRACE_TRACEME is also an option, huh? - PTRACE_SYSCALL, PTRACE_SINGLESTEP, or PTRACE_CONT with breakpoints? - do you have any strong opinions about the syscall, or just other information you'd like to share with everyone?relevant resources:man manman syscallshttps://man7.org/linux/man-pages/https://linux.die.net/man/https://elixir.bootlin.com/linux/https://elixir.bootlin.com/musl/https://elixir.bootlin.com/glibc/
#define __NR_ptrace 101
PTRACE_ATTACH
PTRACE_SEIZE
PTRACE_TRACEME
PTRACE_SYSCALL
PTRACE_SINGLESTEP
PTRACE_CONT
man man
man syscalls
going to try to keep this one bumped a bit higher than usual
gamozolabs has a few VODs going through creating a GNU/linux debugger and you can see how terrible ptrace is to work with in practice.
>>108430888yeah, it is a nightmare of state. good luck keeping track
bumping this thread
whats this thread about?
>>108432291ptrace
>>108430426I've only ever used ptrace (the utility) once to debug an issue I had like a year and a half ago where Forgejo's Actions runner would, on every invocation of a pnpm build command, fail to authenticate to a private npm repo (Forgejo's, specifically) behind a local CA's SSL certificate. At the time, the UI for this was hot garbage and so instead of showing you the error it would just hang indefinitely. I used ptrace to figure out which process it was from the machine running the workflow containers and then kill that pnpm process. Doing so would then show a stacktrace in the UI so I could actually debug the problem.I've also seen Kanidm specifically refuse to run with ptrace hooked into it. It prints an error stating that ptrace breaks its security model. How can this be? It's an IDM server so maybe ptrace could be used to inspect protected memory or whatever? Maybe an anon can enlighten me about the wonders of ptrace in regards to why some programs want to prevent it from being used on them.
>>108430426>picI hate extroverts so much it's unreal.
>>108432802ptrace gives you arbitrary control over a process. you can read from and write to all of its memory, including executable memory
>>108432812they can be nice, if they adopt you!
>>108433772Yeah, and they'll bring you along to their social meetings and stuff... real fucking nice.
>>108430426these threads are getting boringmaybe start including examples of how syscall can be used instead of just spamming documentation links
>>108433852i have an extrovert friend who i go on dinner dates with every now and then it's fun
>>108433936Good for you, buddy. I hate people. If I could be locked up, wall in the doors and just leave a hole to pass the grub and the shit bucket, and preferably the guy passing it didn't talk to me. Yeah, that'd be a dream come true.
>>108433883this one is far too complicated for that. i went out of my way to aggregate a lot of useful blog posts on the topic. most of them have toy examples that walk you though how it's used
little disappointed in the lack of replies to this thread ( ._.)i really expected this one to get a ton of discussion
>>108432802>I've also seen Kanidm specifically refuse to run with ptrace hooked into it.How does a thread know that something called ptrace(2) on it?
>>108435157It can use prctl(2) with the SET_DUMPABLE enum, though I'm not sure how well this works to totally prevent someone from ptracing a program.
>>108433883You think that's bad look at /a/, almost a third of the catalog is just manga dumps with nobody saying anything since 2020.
>>108435157https://man7.org/linux/man-pages/man5/proc_pid_status.5.html>TracerPid> PID of process tracing this process (0 if not being traced).>>108435310that has no effect on processes with CAP_SYS_PTRACE>Deny access if the target process "dumpable" attribute has a value other than 1 (SUID_DUMP_USER; see the discussion of PR_SET_DUMPABLE in prctl(2)), and the caller does not have the CAP_SYS_PTRACE capability in the user namespace of the target process.
>>108436218https://github.com/kanidm/kanidm/blob/6bc348db5271e65cbc062b02e8ac3617e3995780/server/daemon/src/main.rs#L643-L651so this is not enough?
>>108430426I hope she learned to have fun with the others as I learn about syscalls from you, OP
bampu
>>108434966I've noticed your silly threads lately. Ok I'll bite, what the fuck do I do with ptrace, assuming I only know how to use C and use Makefiles and mostly I develop embedded shit.
>>108436666i mean, how do you define "enough"? someone with root access to the machine already has more or less full access to it anyway, so you're not really missing out on much. plus, that's racey. someone could ptrace you before the call to prctl>>108441135ptrace is what enables binaries like strace and gbd, which is useful for debuggingit effectively lets you puppet a process however you like
>>108441173>ptrace is what enables binaries like strace and gbd, which is useful for debuggingWait but I always use -ggdb and it readies gdb for me. Does it make sense to use ptrace when already compiling with debugger info?
>>108441525it depends on what you want to do. gdb, as the name suggests, is a debugger. you can use ptrace to do a lot of other things besides debugging (technically you can also use gdb for all these things, but it's not intended to be used that way)
>>108434966I'm sorry anon... I know quite little about this syscall, and don't have the time to get myself acquainted with it in time...
>>108442583i can probably forgive u just this once...
>>108443313funnily, this is like the 4th you've said this
>>1084456114th time
>>108445611shhhhhh don't worry about it
>>108432291>>108432298what is the use case for ptrace? bulge maxing?*pants grab*
>>108447539@_@
>>108430426cute
yeah this is too complicated for me, sorry OP. I'll tune in for the next one though
>>108450313honestly that's a fair answer. it is like insanely insanely complex
