On Fri, Aug 07, 2020 at 01:43:52PM +0200, Sebastien Marie wrote:
> Hi,
>
> I recently added a new step in my ansible playbook to ran sysupgrade on batch
> of
> hosts: it install a temporary /etc/nologin to prevent users to log-in while
> sysupgrade is fetching sets.
>
> Now, I am seeing unveil(2) violation in acct(2) log file:
>
> sh -U _syspatch __ 0.00 secs Thu
> Aug 6 16:01 (0:01:32.50)
>
> [...]
>
> The first one is the offender reported in acct subsystem is "sh", whereas the
> real offender is "su". I am suspecting a race, but I will look at it later.
>
Now that I know how acct(2) works, here the explain.
Accounting informations are recorded during the lifetime of the process as flags
in pr->ps_acflag, and the reporting is done *on process exit* by calling
acct_process() function, which will collect process information and write them
to accounting file.
It means that the command name reported (pr->ps_comm) is the one at the time of
process exit.
Here, su(1) is making a violation, and next call execve(2) to "/bin/sh". So the
command name reported at process exit will be "sh".
As it is properly documented in acct(2), I will just disregard it as a bug.
For every process initiated which terminates under normal conditions or
misbehaves in very specific ways (e.g. file access prevented by unveil), an
accounting record is appended to file.
Thanks.
--
Sebastien Marie
