Bug 4631

Summary: lsof 4.42 reports incorrect NODE for deleted executable
Product: [Retired] Red Hat Linux Reporter: schorr
Component: lsofAssignee: David Lawrence <dkl>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0CC: schorr
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-08-23 16:15:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description schorr 1999-08-20 20:11:51 UTC 
I started a daemon process and then used rdist to update
the program that was already running.  Since the running
program is holding open the old version of the binary,
rdist of course installs it with a new inode number.
However, when I use lsof to examine the files held open
by the already running daemon process, it shows the
executable with a NODE value equal to the inode number of
the newly installed version.  This is incorrect.  I imagine
that this is because it may be blindly following the
symbolic link in /proc/<pid>/exe instead of looking at
the contents of /proc/<pid>/maps.

Thanks,
Andy
Comment 1 Jeff Johnson 1999-08-20 21:47:59 UTC 
Does this problem still exist in the latest lsof-4.45 from Raw Hide?
Comment 2 schorr 1999-08-23 13:22:59 UTC 
I upgraded to 4.45, and the behavior is identical.  However, I played
around a little, and it is now clear that the problem is related to
permissioning issues.  When I run lsof as root or as the user who owns
the process, the output is correct.  If I run it as some other user,
however, it shows less information (which is understandable, since
some parts of the /proc/<fd> directory are not readable), and it
shows an incorrect NODE number for the "mem" mapping associated with
the executable (the file that shows up as the "txt" mapping when
the user has the proper permissions).  This seems wrong since
the /proc/<pid>/maps data is world-readable and has the correct
inode number in it.

Thanks,
Andy
Comment 3 Jeff Johnson 1999-08-23 16:15:59 UTC 
Put a setuid root on the lsof binary if you wish consistent results.
In fact, lsof is supposed to be installed setuid root. Red Hat does
not distribute lsof with this setting because of the potential
security hole that might be introduced on systems where lsof is not
used and/or understood.