Re: [Integrit-devel] FreeBSD readdir_r problem

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Andreas Schweitzer <an...@ph...> writes:

> On Thu, Dec 07, 2000 at 08:10:26PM -0500, Ed L Cashin wrote:
> > Andreas, 
> > 
> > With the current version of integrit, have you been able to replicate
> > segfaults in readdir_r when running integrit on the root of your
> > FreeBSD system?
> 
> Yes, it still segfaults.

I'm installing FreeBSD at home, so maybe soon I'll be able to
reproduce this.

> However, it compiles out of the box now :-)

That's good. :)

> I did a bit of debugging, but no real results.
> I use the included usr.conf file, i.e. it starts for
> me with /usr/bin.
> It dies on file number 246 (starting to count with 1)
> in /usr/bin, no matter which file this is.

You're sure that it's after the 246'th file it reads in /usr/bin, and
not some directory it reads later?  If so, then would you mind sending
the output of "find /usr/bin -ls"?

Are there NFS-mounted files?  I know you said there are some
setuid/gid files ...

What about the FreeBSD feature you mentioned earlier -- about some
files that have an atime that is impossible to reset?  Do you know
what the name of that feature is?

> I moved the files around, so that the order it reads
> it in changes - same result.
> 
> When I copy all the files to a temporary directory
> it works. It checks all 413 copied files from /usr/bin

What command did you use to copy the files?  Was the new location on
the same mountpoint?

> Also, I'm not sure if this is user root related or
> not, because when I test it as a regular user it dies
> before because it wants to read non-readable files
> (some SUID files). And I don't want to move those around ...
> So I can't really test.
> 
> Does this help you ?
> (gdb) print entry
> $1 = {d_fileno = 8011, d_reclen = 12, d_type = 8 '\b', d_namlen = 2 '\002', 
>   d_name = "mt\000Ëh\"\000\000\020\000\b\004ncal\000Ø\233Èh\
[snip]

Yes, that shows that mt was the file being statted.  See how d_name is
"mt", followed by a null character (\000)?  I wonder if mt is
different from the other files.

> (gdb) print result
> $2 = (struct dirent *) 0xbfbfc4f4
> 
> I'm not really good in C. Especially when it comes to
> such constructs :-)

Hey, you're better than most if you know what a debugger is!!! ;)

-- 
--Ed Cashin                     PGP public key:
  ec...@co...           http://www.coe.uga.edu/~ecashin/pgp/