ptg10805159
Section 8.14 Process Accounting 269
The superuser permissions that we gave thetsysprogram areretained across thefork
andexecthat aredone bysystem.
Some implementations have closed this security hole by changing/bin/shto reset the
effective user ID to the real user ID when they don’t match. On these systems, the previous
example doesn’t work as shown. Instead, the same effective user ID will be printed regardless
of the status of the set-user-ID bit on the program callingsystem.
If it is running with special permissions—either set-user-ID or set-group-ID — and
wants to spawn another process, a process should useforkandexecdirectly,being
certain to change back to normal permissions after thefork,beforecallingexec.The
systemfunction shouldneverbe used from a set-user-ID or a set-group-ID program.
One reason for this admonition is thatsysteminvokes the shell to parse the command string,
and the shell uses itsIFSvariable as the input field separator.Older versions of the shell
didn’t reset this variable to a normal set of characters when invoked. As a result, a malicious
user could setIFSbeforesystemwas called, causingsystemto execute a different program.
8.14 Process Accounting
Most UNIX systems provide an option to do process accounting. When enabled, the
kernel writes an accounting recordeach time a process terminates. These accounting
records typically contain a small amount of binary data with the name of the command,
the amount of CPU time used, the user ID and group ID, the starting time, and so on.
We’ll take a closer look at these accounting records in this section, as it gives us a chance
to look at processes again and to use thefreadfunction from Section 5.9.
Process accounting is not specified by any of the standards. Thus all the implementations have
annoying differences. For example, the I/O counts maintained on Solaris 10 are in units of
bytes, whereas FreeBSD 8.0 and Mac OS X 10.6.8 maintain units of blocks, although there is no
distinction between different block sizes, making the counter effectively useless. Linux 3.2.0,
on the other hand, doesn’t try to maintain I/O statistics at all.
Each implementation also has its own set of administrative commands to process raw
accounting data. For example, Solaris providesrunacct(1m) andacctcom( 1 ),whereas
FreeBSD provides thesa( 8 )command to process and summarize the raw accounting data.
Afunction we haven’t described (acct)enables and disables process accounting.
The only use of this function is from theaccton( 8 )command (which happens to be one
of the few similarities among platforms). Asuperuser executes accton with a
pathname argument to enable accounting. The accounting records arewritten to the
specified file, which is usually/var/account/accton FreeBSD and Mac OS X,
/var/log/account/paccton Linux, and/var/adm/paccton Solaris. Accounting
is turned off by executingacctonwithout any arguments.
The structureofthe accounting records is defined in the header<sys/acct.h>.
Although the implementation of each system differs, the accounting records look
something like