Utility to keep all typed command lines.

Barry Shein bzs at world.std.com
Thu Jan 4 09:50:09 AEST 1990 

Gak, I'm amazed at the bad advice this poor fool is getting, I think
people don't understand what he's really after, probably spying on
users to trap certain hackery. I assume that's what you mean,
otherwise just use "script".

Here's a few realistic approaches, none of which will work for you:

1. Modify the shell source to punch each command line as entered,
syslog() might be a way to do this but that's up to you, the problem
will be punching to a file which is protected from general write
access.  One possibility is making it setuid and have main open the
accounting file and then drop setuid. You'll have to be careful about
anyone inheriting this open file descriptor.

The hole is all forks/execs started without the shell, if I were a
cracker and knew you were doing this I'd cobble together my own shell
in about 1/2 hour, I probably don't need anything but read line, break
into strings, fork/exec (don't need indirection, shell programming
etc.) Even simpler, any number of source distributable shells, etc.

2. Sample frequently a "ps auww", probably trim and send to a file.
This will only catch commands you catch, depends on sampling frequency
and how fast your ps can rip through the system. You can write your
own process groveler but it probably won't be much faster than just
doing a popen() on ps, most of ps's time is spent groveling through
swap etc., most people learn this the hard way. Anyhow, this won't
work very well except for reasonably long running commands.

3. Put it into exec in the kernel, link it to the current accounting
system. This is the only way to do what you want reliably and chances
are good your system won't do a whole lot else (not to mention the
disk space.) Might be nice to have some way to limit such a facility
to certain users, commands etc. via (priv'd) ioctls.

Like I said, I doubt any of those are what you want (well, you *want*
3, but you don't have sources or don't want to be bothered with such a
project, ah well, we're only arguing about the price :-)

-- 
        -Barry Shein

Software Tool & Die, Purveyors to the Trade         | bzs at world.std.com
1330 Beacon St, Brookline, MA 02146, (617) 739-0202 | {xylogics,uunet}world!bzs

More information about the Comp.unix.wizards mailing list