On 27/12/2023 07:45, Greg Wooledge wrote:
Yeah, even on Debian systems where ping isn't setuid root, it still seems
to need special capabilities that strace interferes with, or isn't
allowed to attach to, or something.
$ /usr/sbin/getcap /usr/bin/ping
/usr/bin/ping cap_net_raw=ep
It is still elevated privileges and they are dropped for traced
processes to avoid malicious actions by the controlling process. SETGID
may be a trick namely to avoid tracing:
$ ls -l /usr/bin/ssh-agent
-rwxr-sr-x 1 root _ssh 481664 Dec 19 21:51 /usr/bin/ssh-agent
So, pick something other than ping, or run the strace as root.
Attaching by unprivileged processes to trace another process (strace -p
PID) may be disabled using the following sysctl:
kernel.yama.ptrace_scope = 1
For details see
https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html
In Ubuntu this security measure is enabled out of the box. In Debian
higher priority was given to developers who may need to attach debugger
to a running process.
So it is not uncommon when tracing is blocked.
