[Bugme-new] [Bug 10856] New: incorrect tracking of overwritten files of running processes in /proc/<pid>/

bugme-daemon at bugzilla.kernel.org bugme-daemon at bugzilla.kernel.org
Wed Jun 4 13:57:04 PDT 2008


http://bugzilla.kernel.org/show_bug.cgi?id=10856

           Summary: incorrect tracking of overwritten files of running
                    processes in /proc/<pid>/
           Product: File System
           Version: 2.5
     KernelVersion: 2.6.25
          Platform: All
        OS/Version: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: VFS
        AssignedTo: fs_vfs at kernel-bugs.osdl.org
        ReportedBy: vapier at gentoo.org


as reported a while ago here: http://lkml.org/lkml/2007/6/6/512

looking at a simple program:
int main()
{
  if (fork()) return 0;
  printf("pid = %i\n", getpid());
  while (1) sleep(3600);
}
and where my / and /var/tmp are on the same partition:

# gcc test.c -o /usr/sbin/MOO
# /usr/sbin/MOO
pid = 17144
# readlink /proc/17144/exe
/usr/sbin/MOO

# gcc test.c -o /var/tmp/MOO
# mv /var/tmp/MOO /usr/sbin/MOO
# readlink /proc/17144/exe
/var/tmp/MOO (deleted)

i feel like the new exe link should actually read:
/usr/sbin/MOO (deleted)
otherwise people can easily get confused as they think their daemon was started
in /var/tmp/ and their machine was compromised

while this example shows /proc/<pid>/exe, the same issue can be seen with the
maps file and shared libraries.  a quick check on many systems by doing:
grep '(deleted)' /proc/*/maps


-- 
Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


More information about the Bugme-new mailing list