site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Hey guys, I'm stepping through gdb with gdb like so: gdb --args ./gdb fooprogram -- Terry _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... On Jul 7, 2009, at 6:34 PM, Aron-Zvi wrote: I've downloaded and built the most recent gdb available at opensource.apple.com - gdb-966. I'm running OS X Leopard 10.5.7. gdb fails in macosx_ptrace_him() following the task_for_pid() call. task_for_pid() returns 5 which i believe is KERN_FAILURE. The message displayed in the debugger is "Unable to find Mach task port for process-id 8455". When I run just ./gdb fooprogram - everything works fine. gdb's gid is set to procmod. Furthermore, I've even tried running gdb as root with identical results. How can I use gdb to step through gdb debugging another process? As a setgid program, you will be unable to debug it unless you run the gdb you are using to debug it as root. This is an intentional security feature in task_for_pid() and in ptrace() to preclude you using the debugger to debug a program with escalated privilege and thus access code, data, or interfaces which you would otherwise not be privileged to access or execute as a privileged user or group. It doesn't matter that the group is the same as gdb itself is running as, what matters is that the credential for that user has been adulterated away from the identity given to the system by DirectoryServices or whatever authentication database you are using to establish the credential in the first place. Credentials are established by escalating privilege, setting up the credential, and dropping privilege. If you run a program that re-escalates privilege, unless it does the little dance to establish its rights to establish a new kernel credential authoritatively, privilege is revoked. In your case, your gdb is only sgid, so it's incapable of obtaining root privilege in order to become an authoritative source of credential information for the kernel. This is also generally why we ask people to rely on login as a gatekeeper, rather than writing their own credential establishing code. This email sent to site_archiver@lists.apple.com