> %ps -uw28755 > USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND > buhrow 28755 0.1 0.0 408 932 ? S 24May11 0:03.27 sshd: buhrow@ttyp2 > %whoami > buhrow > %ktrace -p 28755 > ktrace: file ktrace.out, pid 28755: Operation not permitted
See sys/kern/kern_ktrace.c. This is probably coming from either the filesystem code in sys_ktrace(), if the problem is trying to open the file, or from kauth_authorize_process(KAUTH_PROCESS_CANKTRACE) in ktrcanset(), if the problem is coming from permission to trace the process. I'd check the former first, because it's easier. But if that's not it, look at sys/secmodel/bsd44/secmodel_bsd44_suser.c for KAUTH_PROCESS_CANKTRACE (I'm assuming you're not using your own secmodels here, or you surely would have mentioned it). My guess would be that this is a case of a set-ID program doing a setuid() but not execing and the process thus still being marked as set-ID. If you really want to track this down, you could do something like sprinkle printfs in the KAUTH_PROCESS_CANKTRACE code to find out which test is responsible. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B