Date: Wed, 11 Nov 2009 22:05:48 GMT From: Erik Lax <erik@datahack.se> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/140493: truss log file descriptor shared with traced program Message-ID: <200911112205.nABM5mqn045179@www.freebsd.org> Resent-Message-ID: <200911112210.nABMA3hg008876@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 140493 >Category: misc >Synopsis: truss log file descriptor shared with traced program >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 11 22:10:03 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Erik Lax >Release: FreeBSD 7.2-RELEASE >Organization: >Environment: FreeBSD freebsd.datahack.se 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 1 08:49:13 UTC 2009 root@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: The truss -o log file descriptor is shared with the traced program when truss starts the program with vfork/execvp, for no obvious reason(?). So it may play with your head when you are trying to debug a program if you are not aware of this! As a security/technical problem this may affects badly written programs that expects a certain file descriptor to be opened at some target, causing the log file to be modified (by accident or evil...ftruncate). >How-To-Repeat: In one terminal # truss -o /tmp/truss.log sleep 60 followed by .. in another terminal # fstat | grep sleep root sleep 37193 root / 2 drwxr-xr-x 512 r root sleep 37193 wd / 45516 drwxr-xr-x 512 r root sleep 37193 text / 46256 -r-xr-xr-x 5964 r root sleep 37193 0 /dev 100 crw--w---- ttyp2 rw root sleep 37193 1 /dev 100 crw--w---- ttyp2 rw root sleep 37193 2 /dev 100 crw--w---- ttyp2 rw root sleep 37193 3 /tmp 4 -rw-r--r-- 2278 w File descriptor 3 is pointing at the log file provided by -o >Fix: Close the file descriptor trussinfo->outfile after the vfork(). Suggested changes would be to either make setup_and_wait(char *command[]) (setup.c) also take the file descriptor that should be closed as an argument or close all file descriptors from fd#3 and above after the vfork(). >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200911112205.nABM5mqn045179>