How to start a GDB group with a set of GID bits

The name says a lot about everything. I am trying to debug a program that has the setgid bit set for another group (let's call it group A). I'm running gdb as a member of group B. For the sake of argument, let's say I can't just be added to group A. These are both non-root / sudo groups.

When I run the program through the command line it runs correctly with group A permissions, but when I run gdb the program calls getegid which shows that I am still running as group B. Is there any way to change this so I can run gdb as a group A? Again, group A has the setgid bit set, so shouldn't gdb run it as group A?


source to share

1 answer

On most systems, GDB uses ptrace to control, verify, and modify the target process.

As described in the execve man page , the setuid and setgid executable bits will have no effect if the process is ptraced:

If the install id bit is set in the program file pointed to by the filename, and the underlying filesystem is not nosuid (MS_NOSUID flag for mount (2)), and the calling process is not ptraced , then the effective user id of the calling process is changed to name the owner of the program file. Likewise, when the set-group-ID bit of a program file is set, the effective group ID of the calling process is set to the group of the program file.

[This is not entirely true. If the calling process is ptraced and is running as root, the setuid and setgid bits will be executed.]

This limitation of not enforcing the setuid and setgid bits in ptraced processes has long been a security feature of Unix systems to prevent users from using ptrace to change the behavior of privileged processes.

If you want the setuid and setgid bits to take effect on monitored processes, in general the debugger process must run as root or be able to CAP_SYS_PTRACE




All Articles