Red Hat Bugzilla – Bug 4631
lsof 4.42 reports incorrect NODE for deleted executable
Last modified: 2008-05-01 11:37:51 EDT
I started a daemon process and then used rdist to update
the program that was already running. Since the running
program is holding open the old version of the binary,
rdist of course installs it with a new inode number.
However, when I use lsof to examine the files held open
by the already running daemon process, it shows the
executable with a NODE value equal to the inode number of
the newly installed version. This is incorrect. I imagine
that this is because it may be blindly following the
symbolic link in /proc/<pid>/exe instead of looking at
the contents of /proc/<pid>/maps.
Does this problem still exist in the latest lsof-4.45 from Raw Hide?
I upgraded to 4.45, and the behavior is identical. However, I played
around a little, and it is now clear that the problem is related to
permissioning issues. When I run lsof as root or as the user who owns
the process, the output is correct. If I run it as some other user,
however, it shows less information (which is understandable, since
some parts of the /proc/<fd> directory are not readable), and it
shows an incorrect NODE number for the "mem" mapping associated with
the executable (the file that shows up as the "txt" mapping when
the user has the proper permissions). This seems wrong since
the /proc/<pid>/maps data is world-readable and has the correct
inode number in it.
Put a setuid root on the lsof binary if you wish consistent results.
In fact, lsof is supposed to be installed setuid root. Red Hat does
not distribute lsof with this setting because of the potential
security hole that might be introduced on systems where lsof is not
used and/or understood.