schemers@vela.acs.oakland.edu (Roland Schemers III) (11/08/90)
Hello! We have a VAX 6000/310 running Ultrix 4.0 (rev 179), and
twice since we have installed it in Augest the process table has
become corrupt! A bunch of system processes were all of a sudden
owned by a student (different student in both cases)! Here is
the abbreviated output of ps:
USER PID %CPU %MEM SZ RSS TT STAT TIME COMMAND
schemers 27280 20.6 0.8 498 350 p3 R 0:00 ps -guax
jfhumphr 27066 12.8 0.1 107 52 14 R 0:09 /etc/syslog
jfhumphr 27286 1.5 0.1 31 16 14 S 0:00 sh /bin/machine
jfhumphr 26940 1.2 0.6 301 251 14 I 0:03 init
daemon 10800 0.8 0.1 123 60 ? S 0:53 /etc/syslog
jfhumphr 27182 0.7 0.2 237 73 14 S 0:00 -csh (csh)
schemers 14603 0.6 0.3 187 143 p3 S 0:02 -ksh (ksh)
root 1 0.3 0.6 301 251 ? S 5:38 init
jfhumphr 27137 0.3 0.0 6 3 14 S 0:00 /etc/update
jfhumphr 27254 0.2 0.1 143 41 14 I 0:00 - H tty50 (getty)
schemers 27014 0.2 0.8 500 356 p3 T 0:01 ps -guax
jfhumphr 27253 0.2 0.1 143 41 14 I 0:00 - H tty49 (getty)
jfhumphr 27251 0.2 0.1 143 41 14 I 0:00 - H tty47 (getty)
jfhumphr 27248 0.2 0.1 143 41 14 I 0:00 - H tty45 (getty)
root 10834 0.2 0.0 6 3 ? I 1:09 /etc/update
jfhumphr 27252 0.2 0.1 143 41 14 I 0:00 - H tty48 (getty)
jfhumphr 27238 0.1 0.1 143 41 14 I 0:00 - H tty38 (getty)
jfhumphr 27140 0.0 0.1 39 17 14 S 0:00 /etc/cron
jfhumphr 27177 0.0 0.1 143 41 14 S 0:00 - H tty10 (getty)
jfhumphr 27174 0.0 0.1 143 41 14 S 0:00 - std.9600 console (getty)
jfhumphr 26838 0.0 0.2 237 73 14 I 0:00 -csh (csh)
root 10841 0.0 0.2 117 83 ? I 0:05 /etc/inetd
jfhumphr 27055 0.0 0.1 54 28 14 I 0:00 /usr/etc/rwalld
root 10837 0.0 0.1 39 17 ? S 0:02 /etc/cron
Its seems that for every process that was owned by this
student (jfhumphr), there was also one still owned by root.
There were 2 crons, 2 updates, about 30 or 50 gettys each.
Has anyone seen this problem before? Just checking before
I call DEC.
Roland
--
Roland J. Schemers III Systems Programmer
schemers@vela.acs.oakland.edu (Ultrix) Oakland University
schemers@argo.acs.oakland.edu (VMS) Rochester, MI 48309-4401
~Disclaimer::Disclaimer() { reboot(RB_HALT); } (313)-370-4323grr@cbmvax.commodore.com (George Robbins) (11/09/90)
In article <3752@vela.acs.oakland.edu> schemers@vela.acs.oakland.edu (Roland Schemers III) writes: > Hello! We have a VAX 6000/310 running Ultrix 4.0 (rev 179), and > twice since we have installed it in Augest the process table has > become corrupt! A bunch of system processes were all of a sudden > owned by a student (different student in both cases)! Here is It's probably not process table corruption, but rather corruption of the utmp file. This used to happen a lot, but it much better now. Note that this doesn't alter the privileges of the affected processes, but there are/were some security holes opened by having inconsistant utmp info.. > the abbreviated output of ps: > > USER PID %CPU %MEM SZ RSS TT STAT TIME COMMAND > schemers 27280 20.6 0.8 498 350 p3 R 0:00 ps -guax > jfhumphr 27066 12.8 0.1 107 52 14 R 0:09 /etc/syslog > jfhumphr 27286 1.5 0.1 31 16 14 S 0:00 sh /bin/machine > jfhumphr 26940 1.2 0.6 301 251 14 I 0:03 init -- George Robbins - now working for, uucp: {uunet|pyramid|rutgers}!cbmvax!grr but no way officially representing: domain: grr@cbmvax.commodore.com Commodore, Engineering Department phone: 215-431-9349 (only by moonlite)
mamros@energy.irc.cbm.dec.com (Shawn Mamros) (11/09/90)
The way ps works, it has to open /dev/kmem and read the proc structs in kernel memory. However, it's not an atomic operation. If you happen to catch the system at a point where it's moving things around, it can result in some strange output from ps. Usually not as strange as what you're seeing, but it's possible. Is the error a repeatable one? If, say, you type ps once and see weird process ownerships, what happens when you do a ps a few seconds afterward? Is everything back to normal? If so, I'd say it's just a temporary glitch with ps catching the proc structs in mid-transition. And if not... does the system ever correct itself? Or do things stay messed up until reboot time? I must admit I've never seen ps behave that way before, but then again I haven't used ULTRIX V4.0 heavily on VAXen either. -Shawn Mamros E-mail to: mamros@crl.dec.com Disclaimer: I am neither an "official" representative nor an ULTRIX developer. Just another ULTRIX "customer" ;-)
schemers@vela.acs.oakland.edu (Roland Schemers III) (11/09/90)
In article <15722@cbmvax.commodore.com> grr@cbmvax.commodore.com (George Robbins) writes: >In article <3752@vela.acs.oakland.edu> schemers@vela.acs.oakland.edu (Roland Schemers III) writes: >> Hello! We have a VAX 6000/310 running Ultrix 4.0 (rev 179), and >> twice since we have installed it in Augest the process table has >> become corrupt! A bunch of system processes were all of a sudden >> owned by a student (different student in both cases)! Here is > > >It's probably not process table corruption, but rather corruption >of the utmp file. This used to happen a lot, but it much better >now. I would like to agree, but what about the error messages in the syslog file: Nov 7 14:44:50 localhost: 27036 named: bind(vs, 0.0.0.0[53]): Permission denied Nov 7 14:44:53 localhost: 27075 sendmail: AA27040: to=wjyoung@vela.acs.oakland.edu, delay=00:00:07, stat=Sent Nov 7 14:44:54 localhost: 27087 sendmail: NOQUEUE: SYSERR: getrequests: cannot bind: Address already in use Nov 7 14:44:54 localhost: 27087 sendmail: cannot get connection Nov 7 14:45:02 localhost: 27161 snmpd: Start snmpd version 3.2 at Wed Nov 7 14:45:01 1990 Nov 7 14:45:02 localhost: Nov 7 14:45:03 localhost: 27161 snmpd: /dev/kmem: cannot open Nov 7 14:45:03 localhost: 27161 snmpd: main: problems in init_kmem Nov 7 14:45:04 localhost: getty: '/etc/getty std.9600 /dev/console' open failed Permission denied Nov 7 14:45:04 localhost: getty: '/etc/getty H /dev/tty08' open failed Permission denied Nov 7 14:45:04 localhost: getty: '/etc/getty H /dev/tty09' open failed Permission denied Nov 7 14:45:04 localhost: getty: '/etc/getty H /dev/tty10' open failed Permission denied Nov 7 14:45:05 localhost: getty: /dev/console: Permission denied Nov 7 14:45:05 localhost: getty: '/etc/getty H /dev/tty11' open failed Permission denied Nov 7 14:45:05 localhost: getty: /dev/tty08: Permission denied Nov 7 14:45:05 localhost: getty: /dev/tty09: Permission denied Nov 7 14:45:05 localhost: getty: /dev/tty10: Permission denied Nov 7 14:45:06 localhost: getty: /dev/tty11: Permission denied Nov 7 14:45:06 localhost: getty: '/etc/getty H /dev/tty12' open failed Permission denied Nov 7 14:45:07 localhost: getty: '/etc/getty H /dev/tty13' open failed Permission denied Nov 7 14:45:07 localhost: getty: /dev/tty12: Permission denied Nov 7 14:45:07 localhost: getty could not set pgrp, Not owner Nov 7 14:45:08 localhost: getty: /dev/tty13: Permission denied Nov 7 14:45:08 localhost: getty: '/etc/getty H /dev/tty15' open failed Permission denied Nov 7 14:45:09 localhost: getty: /dev/tty15: Permission denied Nov 7 14:45:09 localhost: getty: '/etc/getty H /dev/tty16' open failed Permission denied Nov 7 14:45:09 localhost: getty: '/etc/getty H /dev/tty17' open failed Permission denied Nov 7 14:45:10 localhost: getty: '/etc/getty H /dev/tty18' open failed Permission denied Nov 7 14:45:10 localhost: getty: '/etc/getty H /dev/tty19' open failed Permission denied Nov 7 14:45:10 localhost: getty: /dev/tty16: Permission denied Nov 7 14:45:11 localhost: getty: /dev/tty17: Permission denied Nov 7 14:45:11 localhost: getty: '/etc/getty H /dev/tty21' open failed Permission denied Nov 7 14:45:11 localhost: getty: /dev/tty18: Permission denied Nov 7 14:45:11 localhost: getty: '/etc/getty H /dev/tty20' open failed Permission denied Nov 7 14:45:11 localhost: getty: /dev/tty19: Permission denied Nov 7 14:45:12 localhost: getty: /dev/tty21: Permission denied Nov 7 14:45:13 localhost: getty: /dev/tty20: Permission denied Nov 7 14:45:14 localhost: getty: '/etc/getty H /dev/tty22' open failed Permission denied Nov 7 14:45:14 localhost: getty: '/etc/getty H /dev/tty23' open failed Permission denied Nov 7 14:45:15 localhost: getty: '/etc/getty H /dev/tty24' open failed Permission denied Nov 7 14:45:15 localhost: getty: /dev/tty22: Permission denied Nov 7 14:45:16 localhost: getty: /dev/tty23: Permission denied Nov 7 14:45:16 localhost: getty: /dev/tty24: Permission denied Nov 7 14:45:19 localhost: getty: '/etc/getty H /dev/tty28' open failed Permission denied Nov 7 14:45:19 localhost: getty: '/etc/getty H /dev/tty25' open failed Permission denied Nov 7 14:45:19 localhost: getty: '/etc/getty H /dev/tty26' open failed Permission denied Nov 7 14:45:19 localhost: getty: '/etc/getty H /dev/tty27' open failed Permission denied Nov 7 14:45:20 localhost: getty: /dev/tty26: Permission denied Nov 7 14:45:20 localhost: getty: /dev/tty25: Permission denied Nov 7 14:45:21 localhost: getty: /dev/tty28: Permission denied Nov 7 14:45:21 localhost: getty: /dev/tty27: Permission denied Nov 7 14:45:21 localhost: getty: '/etc/getty H /dev/tty29' open failed Permission denied Nov 7 14:45:22 localhost: getty: /dev/tty29: Permission denied Nov 7 14:45:22 localhost: getty: '/etc/getty H /dev/tty30' open failed Permission denied Nov 7 14:45:23 localhost: getty: /dev/tty30: Permission denied Along with the fact that there were two processes one owned by root and one by the student. Some suggested that maybe the student was playing around and executing files in /etc. I tried running /etc/init and some others as myself on my VAXstation 3140, and couldn't recreate the problem. Roland -- Roland J. Schemers III Systems Programmer schemers@vela.acs.oakland.edu (Ultrix) Oakland University schemers@argo.acs.oakland.edu (VMS) Rochester, MI 48309-4401 ~Disclaimer::Disclaimer() { reboot(RB_HALT); } (313)-370-4323