Question & Answer
Question
Truss is a useful command for tracking where a process is failing. It doesn't give you the overall system picture in the way that the system trace facility does but it allows you to only consider outputs from the process in question and it's children and can be run over an extended period of time without gathering too much extra information. However, truss will only allow you to attach to a process if you have permission. For the most part this is fine, however if you are investigating a command which runs as another user under SUID, you will not be allowed to attach to the process as the system identifies it as not belonging to your user. For example: # ls -l prog -rwsr-xr-x 1 root system 6692 29 Aug 08:34 prog # su - some_user $ truss -deaf -o truss.out prog truss: 0915-015 Cannot create subject process. wait4all: i: 0, status: 32512, pid: 311360, created: 0
Answer
So, how can we truss "some_users" commands?
1. Login as the user who you need to investigate and find the PID of your shell using the ps command. For example:
$ ps -f
UID PID PPID C STIME TTY TIME CMD
some_user 159852 372742 0 10:33:54 pts/3 0:00 -ksh
some_user 421946 159852 3 10:36:18 pts/3 0:00 ps -f
2. Start a new session as root and truss the shell session from Step 1:
truss -deaf -o /tmp/truss.out -p 159852
3. This new session will now log all the activity in the original shell. Run the failing command and then stop the truss. The truss.out file can be investigated to find the failure.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
isg3T1010515