warning: Error disabling address space randomization: Operation not permitted

Question

what have i done wrong (or didn't do) that gdb is not working properly for me?

root@6be3d60ab7c6:/# cat minimal.c 
int main()
{
  int i = 1337;
  return 0;
}
root@6be3d60ab7c6:/# gcc -g minimal.c -o minimal
root@6be3d60ab7c6:/# gdb minimal
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
.
.
.
Reading symbols from minimal...done.
(gdb) break main
Breakpoint 1 at 0x4004f1: file minimal.c, line 3.
(gdb) run
Starting program: /minimal 
warning: Error disabling address space randomization: Operation not permitted
During startup program exited normally.
(gdb) 
(gdb) print i   
No symbol "i" in current context.

When running within a docker container, I got this error until I added`--security-opt seccomp=unconfined` to the `docker run`. — Cameron Taggart, Jun 07 '16 at 04:28
@CameronTaggart it works good for me, but security problem coms — Jia, Sep 03 '16 at 06:04

score 180 · Accepted Answer · answered Oct 10 '17 at 22:20

180

If you're using Docker, you probably need the --security-opt seccomp=unconfined option (as well as enabling ptrace):

docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined

answered Oct 10 '17 at 22:20

wisbucky

33,218
10
150
101

6

thanks for this - I've no idea how much time I'd've lost learning this the hard way! – VorpalSword May 31 '18 at 20:47
2

I think `--cap-add=SYS_PTRACE` is only needed when attaching `gdb` to an already running process. – parched Nov 02 '18 at 07:38
Could you provide the security issues using these options might involve ? – Ra'Jiska Aug 08 '19 at 14:41
7

Is there a way to apply this command to an already running instance? Because I don't want to remove this instance and start a new one – sh.3.ll May 30 '20 at 18:59
Hmm Doesn't work for me. I get `warning: Could not trace the inferior process. warning: ptrace: Permission denied` What I'm doing is`docker create --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -it blah` followed by `docker start -i blah` ... seems this should have worked!? – Linas Mar 07 '23 at 07:16

score 21 · Answer 2 · edited Apr 13 '17 at 12:22

For whatever reason, your user account doesn't have permission to disable the kernel's address space layout randomisation for this process. By default, gdb turns this off because it makes some sorts of debugging easier (in particular, it means the address of stack objects will be the same each time you run your program). Read more here.

You can work around this problem by disabling this feature of gdb with set disable-randomization off.

As for getting your user the permission needed to disable ASLR, it probably boils down to having write permission to /proc/sys/kernel/randomize_va_space. Read more here.

Kevin W Matthews · Answer 3 · 2020-08-31T18:42:41.530

17

Building on wisbucky's answer (thank you!), here are the same settings for Docker compose:

security_opt:
  - seccomp:unconfined
cap_add:
  - SYS_PTRACE

The security option seccomp:unconfined fixed the address space randomization warnings.

The capability SYS_PTRACE didn't seem to have a noticeable effect even though the Docker documentation states that SYS_PTRACE is a capability that is "not granted by default". Perhaps I don't know what to look for.

edited Aug 31 '20 at 18:42

answered Jul 26 '18 at 02:13

Kevin W Matthews

722
6
19

2

YOu have a typo, it is unconfined not unconfirmed – Marc43 Aug 31 '20 at 07:58

warning: Error disabling address space randomization: Operation not permitted

3 Answers3

Linked