1

I am taking logs of command executed by user in a output file by attaching PID of BASH in strace.

$ strace -q -f -e execve -p $$ -o <outputFile>

It is working fine and I am getting all command list in output file.

But I face another problem. I cannot run sudo command when strace is attached with BASH PID.

I am getting the below error:

sudo: effective uid is not 0, is sudo installed setuid root?

I checked setuid is set on sudo binary

---s--x--x. 1 root root 123832 Mar 22 11:35 /usr/bin/sudo

sudo is working fine when I stop strace.

Is this a bug or there is any technical reason? Please help me on this.

Improve this question

2 Answers 2

Reset to default
2

The manual for strace mentions that:

BUGS
Programs that use the setuid bit do not have effective user ID privileges while being traced.

Though I do suspect it has more to do with the security implications of debugging a setuid process, than a bug. If I'm not mistaken, strace uses the same tracing interface as, say, gdb, and it allows among other things to modify the memory of the running process. Being able to do that to a process that runs with more privilege than you're supposed to have, would be a bad idea.

Improve this answer
2
  • Thank you for your response! Is there any other way to log all the command executed by any user instead of getting from .bash_history? Commented Jun 16, 2017 at 9:39
  • @SouravMaity, depends on what you need to use the log for. Is it security-related loogging (accounting), where you need to consider a hostile user trying to evade it, or are you just doing it "for yourself". What other requirements are there. You may want to post another question about that. Commented Jun 16, 2017 at 11:37
1

There are other ways to log all the commands executed by a user. With sysdig installed one might run something like

# sysdig "user.name = jdoe and evt.type = execve"

to log all execve(2) calls by jdoe; the -p option to sysdig can customized the output format, etc.

Another way would be to use SystemTap which has the advantage of being supported by RedHat; here we assume jdoe has a UID of 1000;

probe begin {
    printf("begin trace...\n\n")
}

probe syscall.execve.return {
    if (uid() != 1000) next;
    printf("runs %s[%d]: %s\n", execname(), pid(), cmdline_str());
}

this can then be run via something like

# stap-prep
...
# stap whatyousavedtheaboveas.stp

Both methods will likely require adjustments to capture exactly what you need, handle error conditions where an execve fails, etc. On the plus side, sysdig and SystemTap are vastly more efficient than strace (run vmstat 1 and watch how strace pushes context switches through the roof when running).

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.