Updating remote process capture FAQ #44
Conversation
| processes by giving it a special capability (you'll need `libcap2-bin` installed): | ||
|
|
||
| ``` | ||
| sudo setcap cap_sys_ptrace=eip /usr/bin/lldb |
There was a problem hiding this comment.
Did you test the plugin with this set? I ask this because the plugin is loading the debugger as a python library, and there is no /usr/bin/lldb process when running the plugin. So I can't see this change affecting the plugin.
There was a problem hiding this comment.
you're right, I wrongly assumed the python library was still using the lldb binary… I'm changing this… At least that still applies to lldb-server ☺
I'll rewrite it.
There was a problem hiding this comment.
At least that still applies to lldb-server
Don't you think running lldb-server as root is more "secure" than escalating its capability? Or is there a significant usability improvement by doing that?
There was a problem hiding this comment.
well, it's a matter of personal choice, but yes I believe that it's still better from a security perspective, as running lldb-server as root gives a lot more than just remote process capture (basically r/w anywhere). So I believe it's worth noting in the FAQ
There was a problem hiding this comment.
as running lldb-server as root gives a lot more than just remote process capture
But that's limited to the text editor's scope. Another process cannot jack into the lldb-server process to access its capabilities. But changing the capability of lldb-server executable itself grants any process (that can execute it) with similar capabilities.
There was a problem hiding this comment.
IIRC, there is an option to limit the number of clients to just one. (Not sure if it is the default.)
Update: Yes, it is the default. Passing --server option will make it fork for every incoming connection.
| sudo setcap cap_sys_ptrace=eip /usr/bin/lldb | ||
| ``` | ||
|
|
||
| This cannot be reverted, so you can use user permissions to restrict the risk of |
There was a problem hiding this comment.
cannot be reverted
What do you mean? Doesn't this work:
sudo setcap -r /usr/bin/lldb
There was a problem hiding this comment.
I'm not sure but it's what I've read on the ubuntu forum link you've given and some other place… but because it was late, I've been a bit too fast at proposing the change ☺
There was a problem hiding this comment.
looks like -r works, just tested. removing that 👌
fixed a few stupid things, and added better tips (included some viml)
|
ok I've updated the FAQ with a section on what I was originally asking: how to work with interactive processes. Then I've exposed the different ways to attach a process, and then how to automate that with a bit of viml. Basically stuff that I would have love to read in the FAQ 😀 |
| the ptrace system call: | ||
|
|
||
| ``` | ||
| sysct -w kernel.yama.ptrace_scope=0 |
| So please read [the following FAQ entry on how to run a remote server][remote-debug]. | ||
|
|
||
| Instead of disabling `ptrace` scoping globally, you can as well disable it just for | ||
| the `lldb-server` executable (on debian, you'll need `libcap2-bin` installed): |
There was a problem hiding this comment.
Just stating "you'll need libcap2" is enough, I think. Anyway, libcap2 is a prerequisite for coreutils, so it's very unlikely to not have it installed.
| in your `vimrc`: | ||
|
|
||
| ``` | ||
| function! LLSpawn(target) |
There was a problem hiding this comment.
Instead of starting lldb-server here, I think it would be cleaner to let them start it elsewhere, and make this function take a port number as argument.
There was a problem hiding this comment.
made both work
That wasn't my intention. I primarily wanted to make the snippet short. If FAQ is too long, people will be even more reluctant to read it. Besides, it still has syntax errors.
I'll fix them and merge it when I get free. Probably after a month.
| scoping in any way suggested [above][attach-process]. | ||
|
|
||
| [attach-process]:https://github.com/guyzmo/lldb.nvim/blob/patch-1/README.md#how-do-I-attach-to-a-running-process | ||
| [remote-debug]:https://github.com/guyzmo/lldb.nvim/blob/patch-1/README.md#remote-debugging-does-not-work |
There was a problem hiding this comment.
Wrong links! Just the id part should work:
[attach-process]: #how-do-I-attach-to-a-running-process
[remote-debug]: #remote-debugging-does-not-work
added syntax argument, fixed typos
fixes #43