Ubuntu
glibc package

Wrong implementation of sys_acct() linux-syscall. Discrepancies between kernel-space & user-space.

Bug #56188 reported by nitr0us on 2006-08-13

Affects		Status	Importance	Assigned to	Milestone
	glibc (Ubuntu)	Invalid	Undecided	Unassigned
	linux-source-2.6.15 (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

Binary package hint: linux-source-2.6.15

BUG OVERVIEW:

This is a wrong implementation of sys_acct() linux-syscall on Ubuntu.

I've been programming some pieces of code such as account.c (enable or disable process accounting) and
reader.c (Read the file and show its content on screen)[1]. Look:

nitrous@lsd:~/x/acct-bug$ gcc account.c -o account
nitrous@lsd:~/x/acct-bug$ ./account
Usage: ./account [-de] acct_file
        -d Disable
        -e Enable
nitrous@lsd:~/x/acct-bug$ ./account -e ./UBUNTU606
acct(): Operation not permitted
nitrous@lsd:~/x/acct-bug$ su
Password:
root@lsd:/home/nitrous/x/acct-bug# ./account -e ./UBUNTUBREEZY
Enabled on ./UBUNTUBREEZY
root@lsd:/home/nitrous/x/acct-bug# ls
account acct.h OS_DETAILS reader.c readerv3.c sizeof sizeofv3 UBUNTU606
account.c CENTOS reader readerv3 REDHAT9 sizeof.c sizeofv3.c UBUNTUBREEZY
root@lsd:/home/nitrous/x/acct-bug# uname -a
Linux lsd 2.6.12-9-386 #1 Mon Oct 10 13:14:36 BST 2005 i6
root@lsd:/home/nitrous/x/acct-bug# ./account -d ./UBUNTUBREEZY
Disabled
root@lsd:/home/nitrous/x/acct-bug# ./reader
Usage: ./reader <acctfile>
root@lsd:/home/nitrous/x/acct-bug# ./reader ./UBUNTUBREEZY
                                     BLOCKS CHARS T.REAL T.CPU MINOR MAJOR EXIT
COMMAND USER GID TTY R/W R/W (s. ) (s. ) PAGEF PAGEF CODE
#| UID:34822 0 0 0 7452 74.61 0.00 26365 17628 0
       UID:34822 0 0 0 7452 74.62 0.00 26368 17628 0
H
         UID:34822 0 0 0 7452 74.63 0.00 26371 17628 0

All the printed different boxes):
root@lsd:/home/nitrous//home/nitrous//home/nitrous//home/nitrous/     &     & d
    & @ UID:34816 0 The program works UBUNTU606 and UBUNTUBREEZY?... information is WRONG!. Ok, let's make more tests with others account files (created on
/>x/acct-bug# ./reader REDHAT9
nbsp;                                BLOCKS CHARS T.REAL T.CPU MINOR MAJOR EXIT
R/W R/W (s. ) (s. ) PAGEF PAGEF CODE
34816 0 0 0.00 0.00 16 86 0
34816 0 0 0.01 0.00 27 145 0
34816 0 0 0.00 0.00 18 110 0
/>x/acct-bug# ./reader CENTOS
nbsp;                                BLOCKS CHARS T.REAL T.CPU MINOR MAJOR EXIT
R/W R/W (s. ) (s. ) PAGEF PAGEF CODE
1025 0 0 0.00 0.00 106 0 0
1025 0 0 0.02 0.00 209 1 0
1025 0 0 0.02 0.00 224 1 0
1026 0 0 0.02 0.00 324 0 0
1026 0 0 0.00 0.00 139 0 0
1025 0 0 0.00 0.00 249 0 0
/>x/acct-bug# ./reader DEBIAN
nbsp;                                BLOCKS CHARS T.REAL T.CPU MINOR MAJOR EXIT
R/W R/W (s. ) (s. ) PAGEF PAGEF CODE
34820 0 0 0.00 0.00 106 0 0
34820 0 0 0.00 0.00 213 0 0
0 0 0 114.03 0.00 13 0 0
34820 0 0 0.01 0.00 271 0 0
0 0 0 7.13 0.00 3 0 0
/>x/acct-bug# ./reader UBUNTU606
nbsp;                                BLOCKS CHARS T.REAL T.CPU MINOR MAJOR EXIT
R/W R/W (s. ) (s. ) PAGEF PAGEF CODE
0 0 13865 139.02 0.00 45512 17626 0
nbsp;  UID:34816 0 0 0 13865 139.09 0.00 45517 17626 65536
0 0 13859 138.65 0.00 45490 17626 2
nbsp;    UID:34816 0 0 0 13418 138.59 0.00 45488 17626 65536
nbsp;  UID:34816 0 0 0 13418 139.17 10.01 45522 17626 0
nbsp;    UID:34816 0 0 0 13927 139.29 0.00 45527 17626 0
0 0 13926 139.27 0.00 45527 17626 2
fine with REDHAT, CENTOS and DEBIAN account files, but again, why it doesn't work on
Making some research I found this:

Ubuntu uses 'struct acct' in /usr/include/sys/acct.h (I think that kernel's ACCT_VERSION = 2), but
sys_acct(), at low-level routines really uses 'struct acct_v3' and that's why our reader program doesn't work
(The file's binary format is different).

I wrote another reader for 'struct acct_v3' using linux-2.6.12/include/linux/acct.h, look:
root@lsd:/home/nitrous/x/acct-bug# ./readerv3 ./UBUNTU606
BLOCKS CHARS MINOR MAJOR EXIT
COMMAND USER GID TTY R/W R/W PAGEF PAGEF CODE
#account root 0 34816 0 0 159 0 0
id root 0 34816 0 0 345 3 0
bash root 0 34816 0 0 796 1 0
#su root 0 34816 0 0 467 0 0
ls mysql 1001 34816 0 0 423 0 0
id root 0 34816 0 0 333 0 0
groups root 0 34816 0 0 455 0 0
bash root 0 34816 0 0 200 0 0
basename root 0 34816 0 0 303 0 0
dirname root 0 34816 0 0 232 0 0
lesspipe root 0 34816 0 0 181 0 0
lesspipe root 0 34816 0 0 200 0 0
lesspipe root 0 34816 0 0 506 0 0
bash root 0 34816 0 0 198 0 0
dircolors root 0 34816 0 0 244 0 0
bash root 0 34816 0 0 197 0 0
root@lsd:/home/nitrous/x/acct-bug# ./readerv3 ./UBUNTUBREEZY
BLOCKS CHARS MINOR MAJOR EXIT
COMMAND USER GID TTY R/W R/W PAGEF PAGEF CODE
#account root 0 34818 0 0 397 0 0
ps nitrous 1000 34818 0 0 305 2 0
cat nitrous 1000 34818 0 0 136 0 0
ls nagios 1002 34818 0 0 208 0 0
ps nagios 1002 34818 0 0 308 0 0
id nagios 1002 34818 0 0 259 0 0
#sh nagios 1002 34818 0 0 638 2 0
#su nitrous 1002 34818 0 0 331 0 0
id nitrous 1000 34818 0 0 270 0 0

It works ;)!.

TESTED ON:
[+] Ubuntu 6.06.1 LTS - Kernel: 2.6.15-26-386
[+] Ubuntu 5.10 "Breezy Badger" - 2.6.12-9-386

TIMELINE:
Bug discovered: 21/June/2006
Bug Published: 12/August/2006

Regards.
A. Alejandro Hernandez Hernandez
nitr0us [nitrousenador.at.gmail.dot.com]

Rerefences:
[1] Codes and related stuff.
http://www.genexx.org/nitrous/code/acct-bug/acct-bug.tar.gz

Revision history for this message

Ben Collins (ben-collins) wrote on 2006-08-13:

I think it's up to glibc to correctly detect what the kernel implements.

Revision history for this message

nitr0us (nitrousenador) wrote on 2006-08-13:

Ok, I understand.

Others third-party software is affected too, like GNU Accounting Utils, specifically 'dump-act' and 'lastcomm' binaries.

Regards.

Revision history for this message

Paul Dufresne (paulduf) wrote on 2007-11-16:

Rejecting on the kernel, as this is believed that it should be fixed in glibc.

Changed in linux-source-2.6.15:
status:	New → Invalid

Revision history for this message

Paul Dufresne (paulduf) wrote on 2007-11-16:

Thank you for taking the time to report this bug and helping to make Ubuntu better. You reported this bug a while ago and there hasn't been any activity in it recently. We were wondering is this still an issue for you? Can you try with latest Ubuntu release? Thanks in advance.

Changed in glibc:
assignee:	nobody → dufresnep
status:	New → Incomplete

Revision history for this message

Paul Dufresne (paulduf) wrote on 2008-01-07:

Well, I personnaly don't see what this has to do with GLib, but original poster seems to agree with Ben.
As there is no answer I would normally close the bug, but since the bug contains pretty clear example, I'll rather confirm it on glibc, letting glibc developer take a look.

Changed in glibc:
assignee:	dufresnep → nobody
status:	Incomplete → Confirmed

Revision history for this message

nitr0us (nitrousenador) wrote on 2011-07-24:

Proof of Concept Edit (142.1 KiB, image/png)

Hi all,

Sorry for the late respose, but, I haven't had time to download and try that functionality bug since 2007 :$ ...

Anyway, today, we're at one of the biggest tech parties in Mexico (Campus Party) and there's a Ubuntu Linux community called "UBUNTU DF" (www.ubuntudf.org). So, they gave me 10 minutes to test that (old) flaw on the latest version.

And ... again, the flaw IS STILL THERE ... there's a discrepancie between user space & kernel space with the sys acct structure ..

I attach in this post the screenshot of the Proof of Concept.

Cheers !! from Campus Party jeje...

Revision history for this message

Phillip Susi (psusi) wrote on 2013-05-13:

This doesn't appear to be a problem in glibc at all since it isn't responsible for reading the records. It looks like the kernel interface fails to provide a clean way to detect the format, so you simply have to know a priori that you are not on an ancient kernel that still uses the old format.