TCT ported to HP-UX 10.20

From: Knut Eckstein (knutat_private)
Date: Sun Jan 20 2002 - 12:40:44 PST

Next message: Nick Lange: "Re: Tracing MS Word documents"

Previous message: Valdis.Kletnieksat_private: "Re: Top Ten List!?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello all,

during the last weeks I ported tct-1.09 to HP-UX 10.20.

You can download the patch from

http://www.isd.uni-stuttgart.de/~knut.eckstein/tct-hp.html

You will also find there a summary of the tests I ran
in order to verify the correct functioning of the port.

A big thank you goes to Andreas Thuemmel who wrote two
utility programs that are helpful when testing unrm on
large files. You can also download them from the URL above.

Further thanks go to Brian Carrier and Wietse Venema for answering
questions I that occured during the port.

During the tests I found two interesting problems. Maybe
a HP-UX expert out there can point me to a solution:

1. The pcat program in TCT uses ptrace(READDATA) to copy the TEXT,
DATA and STACK segment of a process. It returns with EIO when trying
to read the STACK area of the init process (PID==1). Therefore pcat
will only return the TEXT and DATA segment of that particular process.
I observed similar behaviour with "/bin/sh" and
"/usr/dt/bin/dtrc". The inital ptrace(ATTACH) works fine as do the
read operations on the TEXT and DATA segments. I know that OpenBSD and
Linux flat out refuse a ptrace(ATTACH) to the init process for
security reasons, but this seems to be a slightly different issue
here. I also looked at the pst_vm_status.pst_flags and the
pst_vm_status.pst_permission bits returned for each segment by
pstat_getprocvm, but I can't see any differences between these
"troublemaking" processes and others.

2. When deleting a file that is still opened by a process, HP-UX does
delete the directory entry but does not decrement the refcount to zero
in the on-disk inode.  Therefore, ils cannot report such a file, as
they look like a normal file on disk.  Why does this behaviour differ
from other Unix implementations? As far as I know, all other platforms
that TCT is available for, do not exhibit this behaviour.

Further plans:

- port tctutils
- include support for HP-UX 11.00
- look at acl(5) implementation and how to incorporate that
   information into TCT

As this is a freetime project, I won't say anything about a schedule :-)

Have fun (and send feedback/bug reports),

Knut




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Nick Lange: "Re: Tracing MS Word documents"
Previous message: Valdis.Kletnieksat_private: "Re: Top Ten List!?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jan 20 2002 - 12:44:28 PST