[Bugme-new] [Bug 10856] New: incorrect tracking of overwritten files of running processes in /proc/<pid>/
bugme-daemon at bugzilla.kernel.org
bugme-daemon at bugzilla.kernel.org
Wed Jun 4 13:57:04 PDT 2008
http://bugzilla.kernel.org/show_bug.cgi?id=10856
Summary: incorrect tracking of overwritten files of running
processes in /proc/<pid>/
Product: File System
Version: 2.5
KernelVersion: 2.6.25
Platform: All
OS/Version: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: VFS
AssignedTo: fs_vfs at kernel-bugs.osdl.org
ReportedBy: vapier at gentoo.org
as reported a while ago here: http://lkml.org/lkml/2007/6/6/512
looking at a simple program:
int main()
{
if (fork()) return 0;
printf("pid = %i\n", getpid());
while (1) sleep(3600);
}
and where my / and /var/tmp are on the same partition:
# gcc test.c -o /usr/sbin/MOO
# /usr/sbin/MOO
pid = 17144
# readlink /proc/17144/exe
/usr/sbin/MOO
# gcc test.c -o /var/tmp/MOO
# mv /var/tmp/MOO /usr/sbin/MOO
# readlink /proc/17144/exe
/var/tmp/MOO (deleted)
i feel like the new exe link should actually read:
/usr/sbin/MOO (deleted)
otherwise people can easily get confused as they think their daemon was started
in /var/tmp/ and their machine was compromised
while this example shows /proc/<pid>/exe, the same issue can be seen with the
maps file and shared libraries. a quick check on many systems by doing:
grep '(deleted)' /proc/*/maps
--
Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the Bugme-new
mailing list