BUG OVERVIEW: This is a wrong implementation of sys_acct() linux-syscall on Ubuntu. I've been programming some pieces of code such as account.c (enable or disable process accounting) and reader.c (Read the file and show its content on screen)[1]. Look: nitrous@lsd:~/x/acct-bug$ gcc account.c -o account nitrous@lsd:~/x/acct-bug$ ./account Usage: ./account [-de] acct_file -d Disable -e Enable nitrous@lsd:~/x/acct-bug$ ./account -e ./UBUNTU606 acct(): Operation not permitted nitrous@lsd:~/x/acct-bug$ su Password: root@lsd:/home/nitrous/x/acct-bug# ./account -e ./UBUNTUBREEZY Enabled on ./UBUNTUBREEZY root@lsd:/home/nitrous/x/acct-bug# ls account acct.h OS_DETAILS reader.c readerv3.c sizeof sizeofv3 UBUNTU606 account.c CENTOS reader readerv3 REDHAT9 sizeof.c sizeofv3.c UBUNTUBREEZY root@lsd:/home/nitrous/x/acct-bug# uname -a Linux lsd 2.6.12-9-386 #1 Mon Oct 10 13:14:36 BST 2005 i6 root@lsd:/home/nitrous/x/acct-bug# ./account -d ./UBUNTUBREEZY Disabled root@lsd:/home/nitrous/x/acct-bug# ./reader Usage: ./reader root@lsd:/home/nitrous/x/acct-bug# ./reader ./UBUNTUBREEZY BLOCKS CHARS T.REAL T.CPU MINOR MAJOR EXIT COMMAND USER GID TTY R/W R/W (s. ) (s. ) PAGEF PAGEF CODE #| UID:34822 0 0 0 7452 74.61 0.00 26365 17628 0 UID:34822 0 0 0 7452 74.62 0.00 26368 17628 0 H UID:34822 0 0 0 7452 74.63 0.00 26371 17628 0 All the printed information is WRONG!. Ok, let's make more tests with others account files (created on different boxes): root@lsd:/home/nitrous/x/acct-bug# ./reader REDHAT9 BLOCKS CHARS T.REAL T.CPU MINOR MAJOR EXIT COMMAND USER GID TTY R/W R/W (s. ) (s. ) PAGEF PAGEF CODE #cont root 0 34816 0 0 0.00 0.00 16 86 0 #ls root 0 34816 0 0 0.01 0.00 27 145 0 uname root 0 34816 0 0 0.00 0.00 18 110 0 root@lsd:/home/nitrous/x/acct-bug# ./reader CENTOS BLOCKS CHARS T.REAL T.CPU MINOR MAJOR EXIT COMMAND USER GID TTY R/W R/W (s. ) (s. ) PAGEF PAGEF CODE #cont root 0 1025 0 0 0.00 0.00 106 0 0 #dir root 0 1025 0 0 0.02 0.00 209 1 0 #ps root 0 1025 0 0 0.02 0.00 224 1 0 ls UID:500 500 1026 0 0 0.02 0.00 324 0 0 uname UID:500 500 1026 0 0 0.00 0.00 139 0 0 #ls root 0 1025 0 0 0.00 0.00 249 0 0 root@lsd:/home/nitrous/x/acct-bug# ./reader DEBIAN BLOCKS CHARS T.REAL T.CPU MINOR MAJOR EXIT COMMAND USER GID TTY R/W R/W (s. ) (s. ) PAGEF PAGEF CODE #account root 0 34820 0 0 0.00 0.00 106 0 0 #ls root 0 34820 0 0 0.00 0.00 213 0 0 mozilla-bin nitrous 1000 0 0 0 114.03 0.00 13 0 0 #ps root 0 34820 0 0 0.01 0.00 271 0 0 mozilla-bin nitrous 1000 0 0 0 7.13 0.00 3 0 0 root@lsd:/home/nitrous/x/acct-bug# ./reader UBUNTU606 BLOCKS CHARS T.REAL T.CPU MINOR MAJOR EXIT COMMAND USER GID TTY R/W R/W (s. ) (s. ) PAGEF PAGEF CODE #\uffff UID:34816 0 0 0 13865 139.02 0.00 45512 17626 0 UID:34816 0 0 0 13865 139.09 0.00 45517 17626 65536 \uffff UID:34816 0 0 0 13859 138.65 0.00 45490 17626 2 #\uffff UID:34816 0 0 0 13418 138.59 0.00 45488 17626 65536 UID:34816 0 0 0 13418 139.17 10.01 45522 17626 0 d UID:34816 0 0 0 13927 139.29 0.00 45527 17626 0 @ UID:34816 0 0 0 13926 139.27 0.00 45527 17626 2 The program works fine with REDHAT, CENTOS and DEBIAN account files, but again, why it doesn't work on UBUNTU606 and UBUNTUBREEZY?... Making some research I found this: Ubuntu uses 'struct acct' in /usr/include/sys/acct.h (I think that kernel's ACCT_VERSION = 2), but sys_acct(), at low-level routines really uses 'struct acct_v3' and that's why our reader program doesn't work (The file's binary format is different). I wrote another reader for 'struct acct_v3' using linux-2.6.12/include/linux/acct.h, look: root@lsd:/home/nitrous/x/acct-bug# ./readerv3 ./UBUNTU606 BLOCKS CHARS MINOR MAJOR EXIT COMMAND USER GID TTY R/W R/W PAGEF PAGEF CODE #account root 0 34816 0 0 159 0 0 id root 0 34816 0 0 345 3 0 bash root 0 34816 0 0 796 1 0 #su root 0 34816 0 0 467 0 0 ls mysql 1001 34816 0 0 423 0 0 id root 0 34816 0 0 333 0 0 groups root 0 34816 0 0 455 0 0 bash root 0 34816 0 0 200 0 0 basename root 0 34816 0 0 303 0 0 dirname root 0 34816 0 0 232 0 0 lesspipe root 0 34816 0 0 181 0 0 lesspipe root 0 34816 0 0 200 0 0 lesspipe root 0 34816 0 0 506 0 0 bash root 0 34816 0 0 198 0 0 dircolors root 0 34816 0 0 244 0 0 bash root 0 34816 0 0 197 0 0 root@lsd:/home/nitrous/x/acct-bug# ./readerv3 ./UBUNTUBREEZY BLOCKS CHARS MINOR MAJOR EXIT COMMAND USER GID TTY R/W R/W PAGEF PAGEF CODE #account root 0 34818 0 0 397 0 0 ps nitrous 1000 34818 0 0 305 2 0 cat nitrous 1000 34818 0 0 136 0 0 ls nagios 1002 34818 0 0 208 0 0 ps nagios 1002 34818 0 0 308 0 0 id nagios 1002 34818 0 0 259 0 0 #sh nagios 1002 34818 0 0 638 2 0 #su nitrous 1002 34818 0 0 331 0 0 id nitrous 1000 34818 0 0 270 0 0 It works ;)!. TESTED ON: [+] Ubuntu 6.06.1 LTS - Kernel: 2.6.15-26-386 [+] Ubuntu 5.10 "Breezy Badger" - Kernel: 2.6.12-9-386 TIMELINE: Bug discovered: 21/June/2006 Bug Published: 12/August/2006 Regards. A. Alejandro Hernandez Hernandez nitr0us [nitrousenador.at.gmail.dot.com] Rerefences: [1] Codes and related stuff. http://www.genexx.org/nitrous/code/acct-bug/acct-bug.tar.gz