Wrong implementation of sys_acct() linux-syscall. Discrepancies between kernel-space & user-space.

Bug #56188 reported by nitr0us on 2006-08-13
4
Affects Status Importance Assigned to Milestone
glibc (Ubuntu)
Undecided
Unassigned
linux-source-2.6.15 (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: linux-source-2.6.15

BUG OVERVIEW:

This is a wrong implementation of sys_acct() linux-syscall on Ubuntu.

I've been programming some pieces of code such as account.c (enable or disable process accounting) and
reader.c (Read the file and show its content on screen)[1]. Look:

nitrous@lsd:~/x/acct-bug$ gcc account.c -o account
nitrous@lsd:~/x/acct-bug$ ./account
Usage: ./account [-de] acct_file
        -d Disable
        -e Enable
nitrous@lsd:~/x/acct-bug$ ./account -e ./UBUNTU606
acct(): Operation not permitted
nitrous@lsd:~/x/acct-bug$ su
Password:
root@lsd:/home/nitrous/x/acct-bug# ./account -e ./UBUNTUBREEZY
Enabled on ./UBUNTUBREEZY
root@lsd:/home/nitrous/x/acct-bug# ls
account acct.h OS_DETAILS reader.c readerv3.c sizeof sizeofv3 UBUNTU606
account.c CENTOS reader readerv3 REDHAT9 sizeof.c sizeofv3.c UBUNTUBREEZY
root@lsd:/home/nitrous/x/acct-bug# uname -a
Linux lsd 2.6.12-9-386 #1 Mon Oct 10 13:14:36 BST 2005 i6
root@lsd:/home/nitrous/x/acct-bug# ./account -d ./UBUNTUBREEZY
Disabled
root@lsd:/home/nitrous/x/acct-bug# ./reader
Usage: ./reader <acctfile>
root@lsd:/home/nitrous/x/acct-bug# ./reader ./UBUNTUBREEZY
                                     BLOCKS CHARS T.REAL T.CPU MINOR MAJOR EXIT
COMMAND USER GID TTY R/W R/W (s. ) (s. ) PAGEF PAGEF CODE
#| UID:34822 0 0 0 7452 74.61 0.00 26365 17628 0
       UID:34822 0 0 0 7452 74.62 0.00 26368 17628 0
 H
         UID:34822 0 0 0 7452 74.63 0.00 26371 17628 0

All the printed information is WRONG!. Ok, let's make more tests with others account files (created on
different boxes):
root@lsd:/home/nitrous/x/acct-bug# ./reader REDHAT9
                                     BLOCKS CHARS T.REAL T.CPU MINOR MAJOR EXIT
COMMAND USER GID TTY R/W R/W (s. ) (s. ) PAGEF PAGEF CODE
#cont root 0 34816 0 0 0.00 0.00 16 86 0
#ls root 0 34816 0 0 0.01 0.00 27 145 0
 uname root 0 34816 0 0 0.00 0.00 18 110 0
root@lsd:/home/nitrous/x/acct-bug# ./reader CENTOS
                                     BLOCKS CHARS T.REAL T.CPU MINOR MAJOR EXIT
COMMAND USER GID TTY R/W R/W (s. ) (s. ) PAGEF PAGEF CODE
#cont root 0 1025 0 0 0.00 0.00 106 0 0
#dir root 0 1025 0 0 0.02 0.00 209 1 0
#ps root 0 1025 0 0 0.02 0.00 224 1 0
 ls UID:500 500 1026 0 0 0.02 0.00 324 0 0
 uname UID:500 500 1026 0 0 0.00 0.00 139 0 0
#ls root 0 1025 0 0 0.00 0.00 249 0 0
root@lsd:/home/nitrous/x/acct-bug# ./reader DEBIAN
                                     BLOCKS CHARS T.REAL T.CPU MINOR MAJOR EXIT
COMMAND USER GID TTY R/W R/W (s. ) (s. ) PAGEF PAGEF CODE
#account root 0 34820 0 0 0.00 0.00 106 0 0
#ls root 0 34820 0 0 0.00 0.00 213 0 0
 mozilla-bin nitrous 1000 0 0 0 114.03 0.00 13 0 0
#ps root 0 34820 0 0 0.01 0.00 271 0 0
 mozilla-bin nitrous 1000 0 0 0 7.13 0.00 3 0 0
root@lsd:/home/nitrous/x/acct-bug# ./reader UBUNTU606
                                     BLOCKS CHARS T.REAL T.CPU MINOR MAJOR EXIT
COMMAND USER GID TTY R/W R/W (s. ) (s. ) PAGEF PAGEF CODE
#\uffff UID:34816 0 0 0 13865 139.02 0.00 45512 17626 0
       UID:34816 0 0 0 13865 139.09 0.00 45517 17626 65536
 \uffff UID:34816 0 0 0 13859 138.65 0.00 45490 17626 2
#\uffff
         UID:34816 0 0 0 13418 138.59 0.00 45488 17626 65536
       UID:34816 0 0 0 13418 139.17 10.01 45522 17626 0
 d
         UID:34816 0 0 0 13927 139.29 0.00 45527 17626 0
 @ UID:34816 0 0 0 13926 139.27 0.00 45527 17626 2
The program works fine with REDHAT, CENTOS and DEBIAN account files, but again, why it doesn't work on
UBUNTU606 and UBUNTUBREEZY?... Making some research I found this:

Ubuntu uses 'struct acct' in /usr/include/sys/acct.h (I think that kernel's ACCT_VERSION = 2), but
sys_acct(), at low-level routines really uses 'struct acct_v3' and that's why our reader program doesn't work
(The file's binary format is different).

I wrote another reader for 'struct acct_v3' using linux-2.6.12/include/linux/acct.h, look:
root@lsd:/home/nitrous/x/acct-bug# ./readerv3 ./UBUNTU606
                                     BLOCKS CHARS MINOR MAJOR EXIT
COMMAND USER GID TTY R/W R/W PAGEF PAGEF CODE
#account root 0 34816 0 0 159 0 0
 id root 0 34816 0 0 345 3 0
 bash root 0 34816 0 0 796 1 0
#su root 0 34816 0 0 467 0 0
 ls mysql 1001 34816 0 0 423 0 0
 id root 0 34816 0 0 333 0 0
 groups root 0 34816 0 0 455 0 0
 bash root 0 34816 0 0 200 0 0
 basename root 0 34816 0 0 303 0 0
 dirname root 0 34816 0 0 232 0 0
 lesspipe root 0 34816 0 0 181 0 0
 lesspipe root 0 34816 0 0 200 0 0
 lesspipe root 0 34816 0 0 506 0 0
 bash root 0 34816 0 0 198 0 0
 dircolors root 0 34816 0 0 244 0 0
 bash root 0 34816 0 0 197 0 0
root@lsd:/home/nitrous/x/acct-bug# ./readerv3 ./UBUNTUBREEZY
                                     BLOCKS CHARS MINOR MAJOR EXIT
COMMAND USER GID TTY R/W R/W PAGEF PAGEF CODE
#account root 0 34818 0 0 397 0 0
 ps nitrous 1000 34818 0 0 305 2 0
 cat nitrous 1000 34818 0 0 136 0 0
 ls nagios 1002 34818 0 0 208 0 0
 ps nagios 1002 34818 0 0 308 0 0
 id nagios 1002 34818 0 0 259 0 0
#sh nagios 1002 34818 0 0 638 2 0
#su nitrous 1002 34818 0 0 331 0 0
 id nitrous 1000 34818 0 0 270 0 0

It works ;)!.

TESTED ON:
[+] Ubuntu 6.06.1 LTS - Kernel: 2.6.15-26-386
[+] Ubuntu 5.10 "Breezy Badger" - 2.6.12-9-386

TIMELINE:
Bug discovered: 21/June/2006
Bug Published: 12/August/2006

Regards.
A. Alejandro Hernandez Hernandez
nitr0us [nitrousenador.at.gmail.dot.com]

Rerefences:
[1] Codes and related stuff.
    http://www.genexx.org/nitrous/code/acct-bug/acct-bug.tar.gz

Ben Collins (ben-collins) wrote :

I think it's up to glibc to correctly detect what the kernel implements.

nitr0us (nitrousenador) wrote :

Ok, I understand.

Others third-party software is affected too, like GNU Accounting Utils, specifically 'dump-act' and 'lastcomm' binaries.

Regards.

Paul Dufresne (paulduf) wrote :

Rejecting on the kernel, as this is believed that it should be fixed in glibc.

Changed in linux-source-2.6.15:
status: New → Invalid
Paul Dufresne (paulduf) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. You reported this bug a while ago and there hasn't been any activity in it recently. We were wondering is this still an issue for you? Can you try with latest Ubuntu release? Thanks in advance.

Changed in glibc:
assignee: nobody → dufresnep
status: New → Incomplete
Paul Dufresne (paulduf) wrote :

Well, I personnaly don't see what this has to do with GLib, but original poster seems to agree with Ben.
As there is no answer I would normally close the bug, but since the bug contains pretty clear example, I'll rather confirm it on glibc, letting glibc developer take a look.

Changed in glibc:
assignee: dufresnep → nobody
status: Incomplete → Confirmed
nitr0us (nitrousenador) wrote :

Hi all,

Sorry for the late respose, but, I haven't had time to download and try that functionality bug since 2007 :$ ...

Anyway, today, we're at one of the biggest tech parties in Mexico (Campus Party) and there's a Ubuntu Linux community called "UBUNTU DF" (www.ubuntudf.org). So, they gave me 10 minutes to test that (old) flaw on the latest version.

And ... again, the flaw IS STILL THERE ... there's a discrepancie between user space & kernel space with the sys acct structure ..

I attach in this post the screenshot of the Proof of Concept.

Cheers !! from Campus Party jeje...

Phillip Susi (psusi) wrote :

This doesn't appear to be a problem in glibc at all since it isn't responsible for reading the records. It looks like the kernel interface fails to provide a clean way to detect the format, so you simply have to know a priori that you are not on an ancient kernel that still uses the old format.

Changed in glibc (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers