On Fri, Aug 07, 2020 at 01:43:52PM +0200, Sebastien Marie wrote: > Hi, > > I recently added a new step in my ansible playbook to ran sysupgrade on batch > of > hosts: it install a temporary /etc/nologin to prevent users to log-in while > sysupgrade is fetching sets. > > Now, I am seeing unveil(2) violation in acct(2) log file: > > sh -U _syspatch __ 0.00 secs Thu > Aug 6 16:01 (0:01:32.50) > > [...] > > The first one is the offender reported in acct subsystem is "sh", whereas the > real offender is "su". I am suspecting a race, but I will look at it later. >
Now that I know how acct(2) works, here the explain. Accounting informations are recorded during the lifetime of the process as flags in pr->ps_acflag, and the reporting is done *on process exit* by calling acct_process() function, which will collect process information and write them to accounting file. It means that the command name reported (pr->ps_comm) is the one at the time of process exit. Here, su(1) is making a violation, and next call execve(2) to "/bin/sh". So the command name reported at process exit will be "sh". As it is properly documented in acct(2), I will just disregard it as a bug. For every process initiated which terminates under normal conditions or misbehaves in very specific ways (e.g. file access prevented by unveil), an accounting record is appended to file. Thanks. -- Sebastien Marie