I am debugging a program that makes use of <code>libnetfilter_queue</code>. The documentation states that a userspace queue-handling application needs the <code>CAP_NET_ADMIN</code> capability to function. I have done this using the <code>setcap</code> utility as follows: <pre class="prettyprint"><code>$ sudo setcap cap_net_raw,cap_net_admin=eip ./a.out </code></pre> I have verified that the capabilities are applied correctly as a) the program works and b) <code>getcap</code> returns the following output: <pre class="prettyprint"><code>$ getcap ./a.out ./a.out = cap_net_admin,cap_net_raw+eip </code></pre> However, when I attempt to debug this program using <code>gdb</code> (e.g. <code>$ gdb ./a.out</code>) from the command line, it fails on account of not having the correct permissions set. The debugging functionality of <code>gdb</code> works perfectly otherwise and debugs as per normal. I have even attempted to apply these capabilities to the <code>gdb</code> binary itself to no avail. I did this as it seemed (as documented by the manpages that the "<code>i</code>" flag might allowed the debugee to inherit the capability from the debugger. Is there something trivial I am missing or can this really not be done?

I run into same problem and at beginning I thought the same as above that maybe gdb is ignoring the executable's capability due to security reason. However, reading source code and even using eclipse debugging gdb itself when it is debugging my ext2fs-prog which opens <code>/dev/sda1</code>, I realize that: <ol> <li>gdb is no special as any other program. (Just like it is in the matrix, even the agents themselves they obey the same physical law, gravity etc, except that they are all door-keepers.)</li> <li>gdb is not the parent process of debugged executable, instead it is grand father.</li> <li>The true parent process of debugged executable is "shell", i.e. <code>/bin/bash</code> in my case.</li> </ol> So, the solution is very simple, apart from adding <code>cap_net_admin,cap_net_raw+eip</code> to gdb, you have also apply this to your shell. i.e. <code>setcap cap_net_admin,cap_net_raw+eip /bin/bash</code> The reason that you have also to do this to gdb is because gdb is parent process of <code>/bin/bash</code> before create debugged process. The true executable command line inside gdb is like following: <pre class="prettyprint"><code>/bin/bash exec /my/executable/program/path </code></pre> And this is parameter to vfork inside gdb.

gdb appears to ignore executable capabilities

I am debugging a program that makes use of libnetfilter_queue. The documentation states that a userspace queue-handling application needs the CAP_NET_ADMIN capability to function. I have done this using the setcap utility as follows:

$ sudo setcap cap_net_raw,cap_net_admin=eip ./a.out

I have verified that the capabilities are applied correctly as a) the program works and b) getcap returns the following output:

$ getcap ./a.out
./a.out = cap_net_admin,cap_net_raw+eip

However, when I attempt to debug this program using gdb (e.g. $ gdb ./a.out) from the command line, it fails on account of not having the correct permissions set. The debugging functionality of gdb works perfectly otherwise and debugs as per normal.

I have even attempted to apply these capabilities to the gdb binary itself to no avail. I did this as it seemed (as documented by the manpages that the "i" flag might allowed the debugee to inherit the capability from the debugger.

Is there something trivial I am missing or can this really not be done?

How do I stop GDB execution?

To exit GDB, use the quit command (abbreviated q ), or type an end-of-file character (usually C-d ). If you do not supply expression , GDB will terminate normally; otherwise it will terminate using the result of expression as the error code.

Which command in GDB stops execution?

To stop your program while it is running, type "(ctrl) + c" (hold down the ctrl key and press c). gdb will stop your program at whatever line it has just executed. From here you can examine variables and move through your program.

How do I set a breakpoint in GDB?

Setting a New Breakpoint c file listed in Example 7.1, “Compiling a C Program With Debugging Information” with debugging information, you can set a new breakpoint at line 10 by running the following command: (gdb) break 10 Breakpoint 1 at 0x4004e5: file fibonacci. c, line 10.

I run into same problem and at beginning I thought the same as above that maybe gdb is ignoring the executable's capability due to security reason. However, reading source code and even using eclipse debugging gdb itself when it is debugging my ext2fs-prog which opens /dev/sda1, I realize that:

gdb is no special as any other program. (Just like it is in the matrix, even the agents themselves they obey the same physical law, gravity etc, except that they are all door-keepers.)
gdb is not the parent process of debugged executable, instead it is grand father.
The true parent process of debugged executable is "shell", i.e. /bin/bash in my case.

So, the solution is very simple, apart from adding cap_net_admin,cap_net_raw+eip to gdb, you have also apply this to your shell. i.e. setcap cap_net_admin,cap_net_raw+eip /bin/bash

The reason that you have also to do this to gdb is because gdb is parent process of /bin/bash before create debugged process.

The true executable command line inside gdb is like following:

/bin/bash exec /my/executable/program/path

And this is parameter to vfork inside gdb.

gdb appears to ignore executable capabilities

Tags:

linux

gdb

linux-capabilities

network-programming

sniffing

Sedate Alien

People also ask

1 Answers

Nick Huang

Recent Activity

Donate For Us

gdb appears to ignore executable capabilities

Tags:

linux

gdb

linux-capabilities

network-programming

sniffing

Sedate Alien

People also ask

1 Answers

Nick Huang

Related questions

Recent Activity

Donate For Us