gdb似乎忽略了可执行功能

本文介绍了gdb似乎忽略了可执行功能的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在调试使用libnetfilter_queue的程序.该文档指出，用户空间队列处理应用程序需要CAP_NET_ADMIN功能才能运行.我已经使用setcap实用程序完成了此操作，如下所示:

I am debugging a program that makes use of libnetfilter_queue. The documentation states that a userspace queue-handling application needs the CAP_NET_ADMIN capability to function. I have done this using the setcap utility as follows:

$ sudo setcap cap_net_raw,cap_net_admin=eip ./a.out

我已经验证了以下功能的正确应用:a)程序正常运行，b)getcap返回以下输出:

I have verified that the capabilities are applied correctly as a) the program works and b) getcap returns the following output:

$ getcap ./a.out ./a.out = cap_net_admin,cap_net_raw+eip

但是，当我尝试从命令行使用gdb(例如$ gdb ./a.out)调试该程序时，由于未设置正确的权限，该程序失败. gdb的调试功能在其他情况下可以正常工作，并且可以正常进行调试.

However, when I attempt to debug this program using gdb (e.g. $ gdb ./a.out) from the command line, it fails on account of not having the correct permissions set. The debugging functionality of gdb works perfectly otherwise and debugs as per normal.

我什至试图将这些功能应用于gdb二进制文件本身也无济于事.我按照它的样子进行了操作(如联机帮助页，"i"标志可能允许被调试者继承调试器的功能.

I have even attempted to apply these capabilities to the gdb binary itself to no avail. I did this as it seemed (as documented by the manpages that the "i" flag might allowed the debugee to inherit the capability from the debugger.

我是否缺少一些琐碎的事情，或者真的不能做到吗?

Is there something trivial I am missing or can this really not be done?

推荐答案

前一段时间，我确实遇到了同样的问题.我的猜测是，运行具有附加功能的调试程序是一个安全问题.

A while ago I did run into the same problem. My guess is that running the debugged program with the additional capabilities is a security issue.

您的程序具有比运行该程序的用户更多的特权.使用调试器，用户可以操纵程序的执行.因此，如果程序在调试器下以额外的特权运行，则用户可以将这些特权用于其他目的，而不是程序打算使用这些特权.这将是一个严重的安全漏洞，因为用户首先没有特权.

Your program has more privileges than the user that runs it. With a debugger a user can manipulate the execution of the program. So if the program runs under the debugger with the extra privileges then the user could use these privileges for other purposes than for which the program intended to use them. This would be a serious security hole, because the user does not have the privileges in the first place.