我如何将 valgrind 运行到具有超级用户位的进程?

发布于 2024-08-10 08:03:35 字数 531 浏览 3 评论 0原文

我运行 valgrind 如下:-

/usr/local/bin/valgrind "process_name"

执行后它给我以下错误

==21731==
==21731== Warning: Can't execute setuid/setgid executable: 
==21731== Possible workaround: remove --trace-children=yes, if in effect
==21731==
valgrind: "process name": Permission denied

我的 valgrind 权限如下:- -r-sr-xr-x /usr/local/bin/valgrind

我的进程权限如下:- -r-sr-xr-x "process_name"

平台:Linux VMLINUX3 2.6.9-78.0.22.ELsmp(RHEL)

Valgrind 版本:valgrind-3.5.0

对此的任何帮助将不胜感激

I am running valgrind as follows:-

/usr/local/bin/valgrind "process_name"

After excecution its giving me following error

==21731==
==21731== Warning: Can't execute setuid/setgid executable: 
==21731== Possible workaround: remove --trace-children=yes, if in effect
==21731==
valgrind: "process name": Permission denied

My valgrind permission is as follows :-
-r-sr-xr-x /usr/local/bin/valgrind

My process permission is as follows:-
-r-sr-xr-x "process_name"

Platform : Linux VMLINUX3 2.6.9-78.0.22.ELsmp(RHEL)

Valgrind version: valgrind-3.5.0

Any help on this will be appreciated

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

向地狱狂奔 2024-08-17 08:03:35

对于开发 FUSE 文件系统的人来说,这是一个永恒的问题。 此链接可能会有所帮助(实际上太多了,无法合并到一个答案中)。解决方法包括及时更换 fusionmount,以及(视情况而定)valgrind 的一些附加选项以防止其追踪儿童。

事实上,如果你在 valgrind 下运行我的 FS,你会得到这个输出(是的,有足够多的人遇到这个问题,我实际上在启动时检测到了 valgrind 并显示了链接):

root@tower:~ # valgrind xsfs /xs
==9479== Memcheck, a memory error detector.
==9479== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==9479== Using LibVEX rev 1884, a library for dynamic binary translation.
==9479== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==9479== Using valgrind-3.4.1, a dynamic binary instrumentation framework.
==9479== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==9479== For more details, rerun with: -v
==9479==
******** Valgrind has been detected by xsfs
******** If you have difficulties getting xsfs to work under Valgrind,
******** see the following thread:
******** http://www.nabble.com/valgrind-and-fuse-file-systems-td13112112.html
******** Sleeping for 5 seconds so this doesn't fly by ....

最简单要做的事情是所有调试都在以 root 身份运行的一次性虚拟机中进行,您可以在其中放弃 setuid 位,然后就可以完成它。确保您测试的代码没有任何泄漏或违规,测试任何不使用熔丝的链接库代码都很容易。将您的构建交给“valgrind-clean”,并注意您已在文档中这样做了。

然后,从 valgrind/valgrind.h 中获取一些位来检测它,并为那些继续运行它的人显示一条简短消息。解决这个问题的黑客需要根合作,坦率地说,在沙箱中也更容易完成。

拒绝在 setuid 位打开的情况下拒绝在 valgrind 下运行也很容易,如果人们确实想要这样做,则会显示一条有用的消息来关闭它。关闭

This is a perpetual problem for people who develop FUSE file systems. This link may help (it's quite literally too much to consolidate in a single answer). The work-around involves a just-in-time replacement of fusermount, and (depending), some additional options to valgrind to prevent it from tracing children.

In fact, if you run my FS under valgrind, you get this output (yes, enough people had that problem that I actually detected valgrind on start up and displayed the link):

root@tower:~ # valgrind xsfs /xs
==9479== Memcheck, a memory error detector.
==9479== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==9479== Using LibVEX rev 1884, a library for dynamic binary translation.
==9479== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==9479== Using valgrind-3.4.1, a dynamic binary instrumentation framework.
==9479== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==9479== For more details, rerun with: -v
==9479==
******** Valgrind has been detected by xsfs
******** If you have difficulties getting xsfs to work under Valgrind,
******** see the following thread:
******** http://www.nabble.com/valgrind-and-fuse-file-systems-td13112112.html
******** Sleeping for 5 seconds so this doesn't fly by ....

The easiest thing to do is all of your debugging in a disposable VM running as root, where you can just ditch the setuid bit, and be done with it. Make sure you test your code to not have any leaks or violations, its easy enough to test any linked library code not using fuse. Hand your build off 'valgrind-clean' and note that you've done so in the documentation.

Then, grab some bits out of valgrind/valgrind.h to detect it, and show a short message for those that go ahead and run it anyway. Hacks to work around it require root cooperation, and quite frankly, are much easier done in a sandbox just as well.

It's also easy enough to refuse to run under valgrind with the setuid bit on, showing a helpful message for people to turn it off if they really want to do it.

溺渁∝ 2024-08-17 08:03:35

我想最简单的答案是在调试时删除 setuid/setgid 位。当然,如果程序确实需要root权限,您可能必须以root身份运行valgrind,或者因为valgrind本身似乎是setuid,只需将其chown为root:root。如果您之后执行 valgrind ,它将拥有 root 权限(它的子进程 - 调试进程也将如此)。

然后您应该能够在该应用程序上运行 valgrind。

请小心,因为您将在系统中引入一个巨大的安全漏洞。更安全的解决方案是仅为应该能够运行(setuid)valgrind 并从那里开始的用户创建特殊组...

I suppose most simple answer would be to remove setuid/setgid bit while debugging. Of course if the program really needs root privileges you will have to probably run valgrind as root or since valgrind itself seems to be setuid just chown it to root:root. If you execute valgrind after that it will have root privileges (and so will it's children - debugged processes).

You should then be able to run valgrind on that application.

Just be careful, because you will be introducing a BIG security hole in your system. Safer solution would be to create special group only for users that should be able to run (setuid) valgrind and go from there...

墨落成白 2024-08-17 08:03:35

我假设您尝试使用 --trace-children=no 运行它?如果您具有 root 访问权限,此处似乎有一个解决方法< /a>.

I'm assuming you tried running it with --trace-children=no? If you have root access, there appears to be a workaround here.

一桥轻雨一伞开 2024-08-17 08:03:35

以 root 身份(或任何 set-uid 用户)运行 valgrind 命令,那么程序就不必使用设置 uid。

Run the valgrind command as root (or whoever the set-uid user is), then the program won't have to make use of setting the uid.

热情消退 2024-08-17 08:03:35

即使以 root 用户身份运行也会发生这种情况:)
最好的方法是更改​​权限以删除“s”,然后运行

This happens even when things were run as root user :)
Best way is to change the perms to remove "s", and run

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文