Re: Silly question about ktrace(1) and non-root users

To: tech-kern%NetBSD.org@localhost
Subject: Re: Silly question about ktrace(1) and non-root users
From: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Mon, 20 Jun 2011 16:44:04 -0400 (EDT)

> %ps -uw28755
> USER     PID %CPU %MEM VSZ RSS TTY STAT STARTED    TIME COMMAND
> buhrow 28755  0.1  0.0 408 932 ?   S    24May11 0:03.27 sshd: buhrow@ttyp2 
> %whoami
> buhrow
> %ktrace -p 28755
> ktrace: file ktrace.out, pid 28755: Operation not permitted

See sys/kern/kern_ktrace.c.  This is probably coming from either the
filesystem code in sys_ktrace(), if the problem is trying to open the
file, or from kauth_authorize_process(KAUTH_PROCESS_CANKTRACE) in
ktrcanset(), if the problem is coming from permission to trace the
process.

I'd check the former first, because it's easier.  But if that's not it,
look at sys/secmodel/bsd44/secmodel_bsd44_suser.c for
KAUTH_PROCESS_CANKTRACE (I'm assuming you're not using your own
secmodels here, or you surely would have mentioned it).  My guess would
be that this is a case of a set-ID program doing a setuid() but not
execing and the process thus still being marked as set-ID.  If you
really want to track this down, you could do something like sprinkle
printfs in the KAUTH_PROCESS_CANKTRACE code to find out which test is
responsible.

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

References:
- Silly question about ktrace(1) and non-root users
  - From: Brian Buhrow

Prev by Date: Re: Silly question about ktrace(1) and non-root users
Next by Date: Re: Silly question about ktrace(1) and non-root users
Previous by Thread: Re: Silly question about ktrace(1) and non-root users
Next by Thread: Re: Silly question about ktrace(1) and non-root users
Indexes:

Home | Main Index | Thread Index | Old Index