Bug#115767: I see this too on x86-xen running etch

To: Andy Smith <andy@lug.org.uk>, 115767@bugs.debian.org
Subject: Bug#115767: I see this too on x86-xen running etch
From: Justin Pryzby <justinpryzby@users.sourceforge.net>
Date: Fri, 14 Apr 2006 12:37:07 -0400
Message-id: <[🔎] 20060414163707.GA26394@andromeda>
Reply-to: Justin Pryzby <justinpryzby@users.sourceforge.net>, 115767@bugs.debian.org
In-reply-to: <[🔎] 20060414155809.GU14071@strugglers.net>
References: <20060309171334.GB7723@strugglers.net> <20060309173706.GA15037@andromeda> <[🔎] 20060414155809.GU14071@strugglers.net>

On Fri, Apr 14, 2006 at 03:58:09PM +0000, Andy Smith wrote:
> On Thu, Mar 09, 2006 at 12:37:06PM -0500, Justin Pryzby wrote:
> > Something like strace -f -o /var/log/ssh-strace/ssh-strace.log, where
> > you should be able to set the directory permissions to be sufficiently
> > tight.
> 
> Okay, I'm now running:
> 
> $ sudo strace -ff -o /var/log/ssh-strace/ssh-strace.log /usr/sbin/sshd
Arg, in a different bug (firefox, another one of the top-50-bug
packages to which i'm subscribed), I discovered that strace -ff -o -p
caused corrupted strace output and memory corruption (in strace only).
Please make sure that your strace output is sane (no overlapping
calls).  I think all three of those options are necessary to trigger
that bug, though.

> But after only a couple of minutes all these files have been
> created:

> so I'm a bit concerned I'm going to run out of disk space.
Heh, indeed.

> Can I delete files older than a day, daily, if I have not had a
> reoccurance of the problem?
Yes.  I suggested logrotate, though I'm not familiar with it at all,
it is the standard too for this, and the config file syntax seems
pretty easy.  You'll have to run a special cronjob, though, if you
want it to happen more than once a day.

You can also tar rzf the files; since they are small, there's lots of
overhead, tar will overcome that, (and compress it to boot).  If you
can come up with some way of testing for this (such as if sshd dies;
does it?!) then you can just remove all the files every few minutes in
a root cronjob (and restart sshd, while you're at it):

* * * * * pidof /usr/sbin/sshd || { rm /var/log/ssh-strace/ssh-strace.log.*; /etc/init.d/ssh start; }

> And yes I am also aware I need to adjust my umask to stop them being
> world readable.
Actually, since the directory is 0700, that isn't strictly necessary.
Other users will neither be able to see the files nor even use that
directory as a component of a pathname.

> $ sudo ls -lah /var/log/ssh-strace/
> total 3.2M
> drwx------  2 root root 3.0K Apr 14 15:54 .

Justin

Reply to:

Follow-Ups:
- Bug#115767: I see this too on x86-xen running etch
  - From: Andy Smith <andy@lug.org.uk>

References:
- Bug#115767: I see this too on x86-xen running etch
  - From: Andy Smith <andy@lug.org.uk>

Prev by Date: Bug#115767: I see this too on x86-xen running etch
Next by Date: Processed: severity of 115767 is important
Previous by thread: Bug#115767: I see this too on x86-xen running etch
Next by thread: Bug#115767: I see this too on x86-xen running etch
Index(es):
- Date
- Thread