6

I would like to monitor the STDERR channel of all the processes running on my Linux. Monitoring should preferably be done at real-time (i.e. while the process is running), but post-processing will also do. It should be done without requiring root permissions, and without breaking any security features.

I have done a good bit of searching, and found some utilities such as reptyr and screenify, and a few explanations on how to do this with gdb (for example here). However, all of these seem to be doing both too much and too little. Too much in the sense that they take full control of the process's stream handles (i.e. closing original one and opening a new one). Too little in the sense that they have serious limitations, such as the fact that require disabling security features, such as ptrace_scope.

Any advice would be highly appreciated!

Community
  • 1
  • 1
avidane
  • 89
  • 6
  • +1 for introducing me to reptyr. :D – wojciii May 21 '14 at 09:13
  • I gave a +1 to whoever introduced me to it as well :-), but this thread sort of scared me https://bugs.archlinux.org/task/38873, plus I couldn't get it to work well – avidane May 22 '14 at 05:42

1 Answers1

2

Maybe this question would get more answers on SU. The only thing I could think of would be to monitor the files and devices already opened as STDERR. Of course, this would not work if STDERR is redirected to /dev/null.

You can get all the file descriptors for STDERR with:

ls -l /dev/proc/[0-9]*/fd/2

If you own the process, accessing its STDERR file descriptor or output file should be possible in the language of your choice without being root.

Eric Fournie
  • 1,362
  • 8
  • 10
  • Thanks for the answer...You made me think that maybe my question is simpler than I thought. Assuming I'm using Perl, would I be just opening these descriptors as a normal file (i.e. open(INPUT, "/dev/proc/pid/fd/2")? guess I should try that... – avidane May 21 '14 at 16:35
  • I only tried it with a simple `tail -f`, but as it worked, it should not be a problem with an `open`. As far as I know, there is normally no locking (or only advisory locking) in linux, so no problem here. And `STDERR` will only be appended, which should prevent most of the concurrency problems. – Eric Fournie May 22 '14 at 07:32
  • Shouldn't this be `/proc/` instead of `/dev/proc/`? – aularon Jun 06 '14 at 20:45