I started a daemon process and then used rdist to update the program that was already running. Since the running program is holding open the old version of the binary, rdist of course installs it with a new inode number. However, when I use lsof to examine the files held open by the already running daemon process, it shows the executable with a NODE value equal to the inode number of the newly installed version. This is incorrect. I imagine that this is because it may be blindly following the symbolic link in /proc/<pid>/exe instead of looking at the contents of /proc/<pid>/maps. Thanks, Andy
Does this problem still exist in the latest lsof-4.45 from Raw Hide?
I upgraded to 4.45, and the behavior is identical. However, I played around a little, and it is now clear that the problem is related to permissioning issues. When I run lsof as root or as the user who owns the process, the output is correct. If I run it as some other user, however, it shows less information (which is understandable, since some parts of the /proc/<fd> directory are not readable), and it shows an incorrect NODE number for the "mem" mapping associated with the executable (the file that shows up as the "txt" mapping when the user has the proper permissions). This seems wrong since the /proc/<pid>/maps data is world-readable and has the correct inode number in it. Thanks, Andy
Put a setuid root on the lsof binary if you wish consistent results. In fact, lsof is supposed to be installed setuid root. Red Hat does not distribute lsof with this setting because of the potential security hole that might be introduced on systems where lsof is not used and/or understood.