Skip to content

Who and what is executing files in a directory?

July 27, 2010

Watching this discussion ongoing over on the OpenSolaris ARC email alias got me thinking it should be easy with dtrace to see if anyone on a given system is using the symbolic links in /etc/ to execute binaries.

It should just be a one liner.

However it is not. (If you have the one liner then let me know)

The problem is that if you use the proc provider then by  the time that fires the symbolic link is already resolved.

So just use the syscall provider to do the same thing. However as everyone knows when using the syscall provider you have to be careful that the arguments have been paged in if you wish to read them. The usual trick is to note down the address in the entry probe and then do the copyin in the return probe after the kernel has accessed, and therefore paged in, the address.

However this is exec, which has no return in the case of success and even if it did then by then the old address space has been destroyed and replaced by the new one.

Having got this far I have now passed beyond whether the results are going to be useful but this is a problem that has to be solved.

I hoped for a solution that did not involve knowing the internals of exec but did not manage that.

/usr/sbin/dtrace -qn 'fbt::exec_common:entry { self->arg=arg0 }
fbt::lookuppn:return /self->arg/ {
 self->p = copyinstr(self->arg);
 self->e = execname;
 self->arg=0
}
proc:::exec-success
/self->p != 0 && dirname(self->p) == "/etc" /
{
 printf("UID %d exec %s ppid %d: %s\n", uid, self->e, ppid, self->p);
}
proc:::exec-*
{
 self->arg = 0;
 self->p=0;
 self->e=0;
}'
UID 0 exec pfexec ppid 89246: /etc/rmt
UID 14442 exec ksh ppid 18072: /etc/telinit

The unfortunately this is not a particularly useful way to answer the general question of whether the symbolic links in /etc are still being used unless it was run across a very large number of systems. However it does offer a solution for find who is executing files from particular a particular directory.

Advertisements

From → bsc, Solaris

One Comment
  1. scz permalink

    Scratch space is only valid for the duration of a clause. your self->p may be invalid.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: