Finding the source of a sigill
Kris Kennaway
kris at obsecurity.org
Wed Jan 26 14:48:58 PST 2005
On Wed, Jan 26, 2005 at 04:30:09PM -0600, Dan Nelson wrote:
> In the last episode (Jan 26), Paul Schmehl said:
> > --On Wednesday, January 26, 2005 10:33:51 AM -0600 Dan Nelson
> > <dnelson at allantgroup.com> wrote:
> > >In the last episode (Jan 26), Paul Schmehl said:
> > >>I found this in the messages log when snort died:
> > >>
> > >>Jan 26 03:19:34 buttercup2 /kernel: pid 53186 (snort), uid 0: exited on signal 4
> > >>
> > >>There was no core dump. Is there a way to figure out what the
> > >>cause of the sigill was?
> > >
> > >An illegal instruction :) No way to find out any more without a
> > >core file.
> >
> > Any way of knowing why sigill didn't produce a core file? (It does when
> > make fails.)
>
> Snort might have disabled it, or it might have been disabled by a
> startup script. Try adding "limit -c unlimited" to the snort startup
> script. From the log message, it's running as root so it's not like it
> couldn't write the corefile.
Tuning the relevant sysctls is also often useful, e.g. for putting the
coredump in a mode 1777 directory in case the binary doesn't have
write permission to its cwd.
kern.sugid_coredump: 1
kern.coredump: 1
kern.corefile: %N.%U.core
See core(5)
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050126/131ff1da/attachment.bin
More information about the freebsd-questions
mailing list