Strace attach problem

I’m using strace regularly and I’m a very big fan of this little utility.

But I can not use strace to trace my program in one of the server which I’m connecting remotely. It gives following error:

$ strace -p 3184
strace: attach: ptrace(PTRACE_ATTACH, ...): Operation not permitted

How can I solve this problem?

In good old days we don’t have much malwares in Linux systems. But when the popularity of Linux increased, similarly malwares and trojans also increased too.

In a traditional Unix like system, ptrace system call allows any process can trace and take control of other processes which has ability to send signal to it. This system call exists from 4.3BSD and SVr4.

As a negative effect of this system call, if a malware exists in your system, it can take full control of all other running processes which has permission to send signal and capture sensitive information from your system.

This is not a bug, it is a design issue. It is also possible to prevent your program being traced by using Linux specific prctl call and clear PR_SET_DUMPABLE flag, which OpenSSH agent in your system already does.

But, not many programmers aware of this behaviour. So, when looking at the Linux distributions perspective, it is good to activate additional protection mechanism on ptrace system call to make more secure system without need to change of any software code.

Newer Linux kernels has the Yama security module. When the Yama is built into the kernel, its behaviour can be changed through /proc/sys/kernel/yama/ptrace_scope file.

If you’re trying to use strace to attach another process which is also belongs to you but you’re not a parent of it and the value in ptrace_scope file greater than 0, it is normal to get “Operation not permitted” error.

Some recent Linux distributions sets ptrace_scope value to 1 in default. You can still use strace in this scenario with starting the programs with strace like below:

$ strace ./my_prog

but you can not attach a process which is already started and has different parent of your newly executed strace.

You can learn other values of ptrace_scope and vulnerabilities of current implementation from: