Bug 4631 - lsof 4.42 reports incorrect NODE for deleted executable
lsof 4.42 reports incorrect NODE for deleted executable
Product: Red Hat Linux
Classification: Retired
Component: lsof (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: David Lawrence
Depends On:
  Show dependency treegraph
Reported: 1999-08-20 16:11 EDT by schorr
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 1999-08-23 12:15:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description schorr 1999-08-20 16:11:51 EDT
I started a daemon process and then used rdist to update
the program that was already running.  Since the running
program is holding open the old version of the binary,
rdist of course installs it with a new inode number.
However, when I use lsof to examine the files held open
by the already running daemon process, it shows the
executable with a NODE value equal to the inode number of
the newly installed version.  This is incorrect.  I imagine
that this is because it may be blindly following the
symbolic link in /proc/<pid>/exe instead of looking at
the contents of /proc/<pid>/maps.

Comment 1 Jeff Johnson 1999-08-20 17:47:59 EDT
Does this problem still exist in the latest lsof-4.45 from Raw Hide?
Comment 2 schorr 1999-08-23 09:22:59 EDT
I upgraded to 4.45, and the behavior is identical.  However, I played
around a little, and it is now clear that the problem is related to
permissioning issues.  When I run lsof as root or as the user who owns
the process, the output is correct.  If I run it as some other user,
however, it shows less information (which is understandable, since
some parts of the /proc/<fd> directory are not readable), and it
shows an incorrect NODE number for the "mem" mapping associated with
the executable (the file that shows up as the "txt" mapping when
the user has the proper permissions).  This seems wrong since
the /proc/<pid>/maps data is world-readable and has the correct
inode number in it.

Comment 3 Jeff Johnson 1999-08-23 12:15:59 EDT
Put a setuid root on the lsof binary if you wish consistent results.
In fact, lsof is supposed to be installed setuid root. Red Hat does
not distribute lsof with this setting because of the potential
security hole that might be introduced on systems where lsof is not
used and/or understood.

Note You need to log in before you can comment on or make changes to this bug.