[ale] diagnosis
Dow Hurst
dhurst at kennesaw.edu
Sat Apr 24 16:08:38 EDT 2004
David,
Thinking about your post and the mention of the /var/run/utmp existing for the
leak to occur, led me to the man page for utmp to remind myself what wrote
to it or manipulated it. Going back to your first post on April 7 I can see
that you have only the kernel processes, init, bash, and portmap running. So
based on this I would start dissecting init and the kernel. Or, I would
install a new kernel and init via CD with tools off the CD. Utmp being a
database of login entries, and, with several different programs dealing with
logins operating on utmp, this may be the indicator to help you. Sorry for
being vague but I haven't experience with going this far except by reading
about others who've done it.
Hope this helps you find out what is going on.
Dow
Here is a link to a forensic analysis explanation with an example.
http://www.samag.com/documents/s=9053/sam0403e/0403e.htm
Here is the relevant excerpt from man page for utmp:
The first entries ever created result from init(8) processing init-
tab(5). Before an entry is processed, though, init(8) cleans up utmp
by setting ut_type to DEAD_PROCESS, clearing ut_user, ut_host, and
ut_time with null bytes for each record which ut_type is not DEAD_PRO-
CESS or RUN_LVL and where no process with PID ut_pid exists. If no
empty record with the needed ut_id can be found, init creates a new
one. It sets ut_id from the inittab, ut_pid and ut_time to the current
values, and ut_type to INIT_PROCESS.
getty(8) locates the entry by the pid, changes ut_type to LOGIN_PRO-
CESS, changes ut_time, sets ut_line, and waits for connection to be
established. login(8), after a user has been authenticated, changes
ut_type to USER_PROCESS, changes ut_time, and sets ut_host and ut_addr.
Depending on getty(8) and login(8), records may be located by ut_line
instead of the preferable ut_pid.
When init(8) finds that a process has exited, it locates its utmp entry
by ut_pid, sets ut_type to DEAD_PROCESS, and clears ut_user, ut_host
and ut_time with null bytes.
xterm(1) and other terminal emulators directly create a USER_PROCESS
record and generate the ut_id by using the last two letters of
/dev/ttyp%c or by using p%d for /dev/pts/%d. If they find a DEAD_PRO-
CESS for this id, they recycle it, otherwise they create a new entry.
If they can, they will mark it as DEAD_PROCESS on exiting and it is
advised that they null ut_line, ut_time, ut_user, and ut_host as well.
xdm(8) should not create a utmp record, because there is no assigned
terminal. Letting it create one will result in errors, such as ?fin-
ger: cannot stat /dev/machine.dom?. It should create wtmp entries,
though, just like ftpd(8) does.
telnetd(8) sets up a LOGIN_PROCESS entry and leaves the rest to
login(8) as usual. After the telnet session ends, telnetd(8) cleans up
utmp in the described way.
--
__________________________________________________________
Dow Hurst Office: 770-499-3428 *
Systems Support Specialist Fax: 770-423-6744 *
1000 Chastain Rd. Bldg. 12 *
Chemistry Department SC428 Email: dhurst at kennesaw.edu *
Kennesaw State University Dow.Hurst at mindspring.com *
Kennesaw, GA 30144 *
************************************************************
This message (including any attachments) contains *
confidential information intended for a specific individual*
and purpose, and is protected by law. If you are not the *
intended recipient, you should delete this message and are *
hereby notified that any disclosure, copying, distribution *
of this message, or the taking of any action based on it, *
is strictly prohibited. *
************************************************************
More information about the Ale
mailing list