Typical Use of the strace Command
To monitor system calls for an application, just invoke the command with strace in the following format:
However, there are often processes that start much earlier and continue to work in the background. Due to any problems, you might want to collect additional information associated with such processes. You can attach strace to any running application by giving the process ID of the process to the -p parameter:
Output:
Keep Track of Threads and Forks of an App
With strace, you can check all threads and other child processes that are a fork of the application using the -f flag.
Output:
Check Certain System Calls With strace
The default strace output can be quite crowded to follow at times. If you only want to track certain system calls, you can do so with the -e parameter:
To trace only system calls related to file operations, use -e trace=file:
To filter only network-related system calls, specify -e trace=network in the command:
Get Time Information in Seconds
When outputting system calls, you can use the -t parameter to get time information with precision in seconds. Most of the time the precision will not be enough for your needs. In such situations, you can use the -tt parameter to get time information with microsecond precision:
Collect Statistics About System Calls
With the -c parameter, you can collect statistics about system calls for as long as you want:
Save Logs to a File
If you run strace for a long time and want to examine the resulting logs in more detail later, you’ll need to save the logs. With the -o parameter you can specify the file in which strace should save the logs:
ptrace Blocking Process
Using the prctl system call, any application under Linux can prevent itself from being controlled by non-root users using ptrace. If the application clears the PR_SET_DUMPABLE flag for itself via prctl, users other than root won’t be able to control this application with ptrace, even if they have the right to signal the application.
One of the most typical uses of this feature is seen in the OpenSSH authentication agent software. Thus, the control of the application by another application with ptrace is prevented at user authentication.
ptrace and Security
Due to the ptrace facility set in the traditional Linux process model, any software you run on your system with your user has the authority to insert malicious code into it. From the simplest xterm tool to advanced web browser applications, such malware can take control of all your other running applications—thanks to the ptrace system call—and copy important information without you noticing.
In response to this situation, which many users are not aware of, a protection mechanism has been developed with the security module called Yama in the Linux kernel.
You can control the response to the ptrace system call via the /proc/sys/kernel/yama/ptrace_scope file. By default, this file writes a value of 0.
The following values are acceptable:
Many developers do not know that applications can disable ptrace themselves via prctl, except for the root user. Although security-related software such as the OpenSSH agent performs these operations, it would not be right to expect the same behavior from all software running on the system.
Recently, some Linux distributions have started to set the default value of the ptrace_scope file, described above, to 1. Thus, with ptrace operations restricted, a safer working environment is provided throughout the system.
Using an Example strace
Register the sample application below with the name ministrace.c. Then you can compile it with the following command:
Code:
After compiling the application, you can run any command with ministrace and examine the output:
You Can Use strace for Many Purposes
strace can help find bugs in programs that unnecessarily use system resources. Likewise, the characteristic that a program exhibits while using operating system resources can also be revealed with strace.
Since strace directly listens to system calls, it can reveal runtime dynamics regardless of whether the code of the program being run is open/closed. It is possible to get an idea about why the programs throw an error when started using strace.
Similarly, strace helps you understand why a program terminates unexpectedly. Therefore, being familiar with strace is very important in Linux kernel development and system administration.
