Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!shadooby!samsung!think!snorkelwacker!spdcc!xylogics!world!bzs
From: bzs@world.std.com (Barry Shein)
Newsgroups: comp.unix.wizards
Subject: Re: Utility to keep all typed command lines.
Message-ID: <1990Jan3.225009.17563@world.std.com>
Date: 3 Jan 90 22:50:09 GMT
References: <1527@utkcs2.cs.utk.edu> <1990Jan2.180615.28396@ux1.cso.uiuc.edu> <17538@rpp386.cactus.org>
Organization: The World @ Software Tool & Die
Lines: 44
In-Reply-To: jfh@rpp386.cactus.org's message of 3 Jan 90 06:25:58 GMT


Gak, I'm amazed at the bad advice this poor fool is getting, I think
people don't understand what he's really after, probably spying on
users to trap certain hackery. I assume that's what you mean,
otherwise just use "script".

Here's a few realistic approaches, none of which will work for you:

1. Modify the shell source to punch each command line as entered,
syslog() might be a way to do this but that's up to you, the problem
will be punching to a file which is protected from general write
access.  One possibility is making it setuid and have main open the
accounting file and then drop setuid. You'll have to be careful about
anyone inheriting this open file descriptor.

The hole is all forks/execs started without the shell, if I were a
cracker and knew you were doing this I'd cobble together my own shell
in about 1/2 hour, I probably don't need anything but read line, break
into strings, fork/exec (don't need indirection, shell programming
etc.) Even simpler, any number of source distributable shells, etc.

2. Sample frequently a "ps auww", probably trim and send to a file.
This will only catch commands you catch, depends on sampling frequency
and how fast your ps can rip through the system. You can write your
own process groveler but it probably won't be much faster than just
doing a popen() on ps, most of ps's time is spent groveling through
swap etc., most people learn this the hard way. Anyhow, this won't
work very well except for reasonably long running commands.

3. Put it into exec in the kernel, link it to the current accounting
system. This is the only way to do what you want reliably and chances
are good your system won't do a whole lot else (not to mention the
disk space.) Might be nice to have some way to limit such a facility
to certain users, commands etc. via (priv'd) ioctls.

Like I said, I doubt any of those are what you want (well, you *want*
3, but you don't have sources or don't want to be bothered with such a
project, ah well, we're only arguing about the price :-)

-- 
        -Barry Shein

Software Tool & Die, Purveyors to the Trade         | bzs@world.std.com
1330 Beacon St, Brookline, MA 02146, (617) 739-0202 | {xylogics,uunet}world!bzs