Wrong implementation of sys_acct() linux-syscall. Discrepancies between kernel-space & user-space.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
glibc (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
linux-source-2.6.15 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: linux-source-2.6.15
BUG OVERVIEW:
This is a wrong implementation of sys_acct() linux-syscall on Ubuntu.
I've been programming some pieces of code such as account.c (enable or disable process accounting) and
reader.c (Read the file and show its content on screen)[1]. Look:
nitrous@
nitrous@
Usage: ./account [-de] acct_file
-d Disable
-e Enable
nitrous@
acct(): Operation not permitted
nitrous@
Password:
root@lsd:
Enabled on ./UBUNTUBREEZY
root@lsd:
account acct.h OS_DETAILS reader.c readerv3.c sizeof sizeofv3 UBUNTU606
account.c CENTOS reader readerv3 REDHAT9 sizeof.c sizeofv3.c UBUNTUBREEZY
root@lsd:
Linux lsd 2.6.12-9-386 #1 Mon Oct 10 13:14:36 BST 2005 i6
root@lsd:
Disabled
root@lsd:
Usage: ./reader <acctfile>
root@lsd:
COMMAND USER GID TTY R/W R/W (s. ) (s. ) PAGEF PAGEF CODE
#| UID:34822 0 0 0 7452 74.61 0.00 26365 17628 0
UID:34822 0 0 0 7452 74.62 0.00 26368 17628 0
H
UID:34822 0 0 0 7452 74.63 0.00 26371 17628 0
All the printed information is WRONG!. Ok, let's make more tests with others account files (created on
different boxes):
root@lsd:
COMMAND USER GID TTY R/W R/W (s. ) (s. ) PAGEF PAGEF CODE
#cont root 0 34816 0 0 0.00 0.00 16 86 0
#ls root 0 34816 0 0 0.01 0.00 27 145 0
uname root 0 34816 0 0 0.00 0.00 18 110 0
root@lsd:
COMMAND USER GID TTY R/W R/W (s. ) (s. ) PAGEF PAGEF CODE
#cont root 0 1025 0 0 0.00 0.00 106 0 0
#dir root 0 1025 0 0 0.02 0.00 209 1 0
#ps root 0 1025 0 0 0.02 0.00 224 1 0
ls UID:500 500 1026 0 0 0.02 0.00 324 0 0
uname UID:500 500 1026 0 0 0.00 0.00 139 0 0
#ls root 0 1025 0 0 0.00 0.00 249 0 0
root@lsd:
COMMAND USER GID TTY R/W R/W (s. ) (s. ) PAGEF PAGEF CODE
#account root 0 34820 0 0 0.00 0.00 106 0 0
#ls root 0 34820 0 0 0.00 0.00 213 0 0
mozilla-bin nitrous 1000 0 0 0 114.03 0.00 13 0 0
#ps root 0 34820 0 0 0.01 0.00 271 0 0
mozilla-bin nitrous 1000 0 0 0 7.13 0.00 3 0 0
root@lsd:
COMMAND USER GID TTY R/W R/W (s. ) (s. ) PAGEF PAGEF CODE
#\uffff UID:34816 0 0 0 13865 139.02 0.00 45512 17626 0
UID:34816 0 0 0 13865 139.09 0.00 45517 17626 65536
\uffff UID:34816 0 0 0 13859 138.65 0.00 45490 17626 2
#\uffff
UID:34816 0 0 0 13418 138.59 0.00 45488 17626 65536
UID:34816 0 0 0 13418 139.17 10.01 45522 17626 0
d
UID:34816 0 0 0 13927 139.29 0.00 45527 17626 0
@ UID:34816 0 0 0 13926 139.27 0.00 45527 17626 2
The program works fine with REDHAT, CENTOS and DEBIAN account files, but again, why it doesn't work on
UBUNTU606 and UBUNTUBREEZY?... Making some research I found this:
Ubuntu uses 'struct acct' in /usr/include/
sys_acct(), at low-level routines really uses 'struct acct_v3' and that's why our reader program doesn't work
(The file's binary format is different).
I wrote another reader for 'struct acct_v3' using linux-2.
root@lsd:
COMMAND USER GID TTY R/W R/W PAGEF PAGEF CODE
#account root 0 34816 0 0 159 0 0
id root 0 34816 0 0 345 3 0
bash root 0 34816 0 0 796 1 0
#su root 0 34816 0 0 467 0 0
ls mysql 1001 34816 0 0 423 0 0
id root 0 34816 0 0 333 0 0
groups root 0 34816 0 0 455 0 0
bash root 0 34816 0 0 200 0 0
basename root 0 34816 0 0 303 0 0
dirname root 0 34816 0 0 232 0 0
lesspipe root 0 34816 0 0 181 0 0
lesspipe root 0 34816 0 0 200 0 0
lesspipe root 0 34816 0 0 506 0 0
bash root 0 34816 0 0 198 0 0
dircolors root 0 34816 0 0 244 0 0
bash root 0 34816 0 0 197 0 0
root@lsd:
COMMAND USER GID TTY R/W R/W PAGEF PAGEF CODE
#account root 0 34818 0 0 397 0 0
ps nitrous 1000 34818 0 0 305 2 0
cat nitrous 1000 34818 0 0 136 0 0
ls nagios 1002 34818 0 0 208 0 0
ps nagios 1002 34818 0 0 308 0 0
id nagios 1002 34818 0 0 259 0 0
#sh nagios 1002 34818 0 0 638 2 0
#su nitrous 1002 34818 0 0 331 0 0
id nitrous 1000 34818 0 0 270 0 0
It works ;)!.
TESTED ON:
[+] Ubuntu 6.06.1 LTS - Kernel: 2.6.15-26-386
[+] Ubuntu 5.10 "Breezy Badger" - 2.6.12-9-386
TIMELINE:
Bug discovered: 21/June/2006
Bug Published: 12/August/2006
Regards.
A. Alejandro Hernandez Hernandez
nitr0us [nitrousenador.
Rerefences:
[1] Codes and related stuff.
http://
I think it's up to glibc to correctly detect what the kernel implements.