misc/140493: truss log file descriptor shared with traced program
erik at datahack.se
Wed Nov 11 22:10:04 UTC 2009
>Synopsis: truss log file descriptor shared with traced program
>Arrival-Date: Wed Nov 11 22:10:03 UTC 2009
>Originator: Erik Lax
>Release: FreeBSD 7.2-RELEASE
FreeBSD freebsd.datahack.se 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 1 08:49:13 UTC 2009 root at walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
The truss -o log file descriptor is shared with the traced program when truss starts the program with vfork/execvp, for no obvious reason(?).
So it may play with your head when you are trying to debug a program if you are not aware of this!
As a security/technical problem this may affects badly written programs that expects a certain file descriptor to be opened at some target, causing the log file to be modified (by accident or evil...ftruncate).
In one terminal
# truss -o /tmp/truss.log sleep 60
followed by .. in another terminal
# fstat | grep sleep
root sleep 37193 root / 2 drwxr-xr-x 512 r
root sleep 37193 wd / 45516 drwxr-xr-x 512 r
root sleep 37193 text / 46256 -r-xr-xr-x 5964 r
root sleep 37193 0 /dev 100 crw--w---- ttyp2 rw
root sleep 37193 1 /dev 100 crw--w---- ttyp2 rw
root sleep 37193 2 /dev 100 crw--w---- ttyp2 rw
root sleep 37193 3 /tmp 4 -rw-r--r-- 2278 w
File descriptor 3 is pointing at the log file provided by -o
Close the file descriptor trussinfo->outfile after the vfork().
Suggested changes would be to either make setup_and_wait(char *command) (setup.c) also take the file descriptor that should be closed as an argument or close all file descriptors from fd#3 and above after the vfork().
More information about the freebsd-bugs