Re: "Text file busy"

From: Tony Landells (ahl@austclear.com.au)
Date: 07/23/02 

To: Brett Glass <brett@lariat.org>
Date: Tue, 23 Jul 2002 17:04:24 +1000
From: Tony Landells <ahl@austclear.com.au>

brett@lariat.org said:
> A FreeBSD server belonging to a client of mine has begun to report
> "Text file busy" in response to common commands. I can't see anything
> unusual on the surface, but am concerned that the server may have
> been compromised anyway (a rootkit could have been installed) and
> that this is a symptom. What mechanism generates this message? And
> does it suggest that the machine may have been rooted?

The most likely source of this is attempting to change an executable
while it's running:

        # cp /bin/sleep /tmp
        # /tmp/sleep 60 &
        [1] 34527
        # cp /dev/null /tmp/sleep
        cp: /tmp/sleep: Text file busy
        # kill -ALRM 34527
        [1] Alarm clock /tmp/sleep 60
        # cp /dev/null /tmp/sleep
        #

I'm sure there are probably other occasions where this comes up, but
that's the one I've seen... Just doing a quick search through section
2 of the manual:

        access(2)
                [ETXTBSY] Write access is requested for a pure
                                procedure (shared text) file presently
                                being executed.

        execve(2)
                [ETXTBSY] The new process file is a pure procedure
                                (shared text) that is currently open for
                                writing or reading by some process.

        open(2)
                [ETXTBSY] The file is a pure procedure (shared text)
                                file that is being executed and the open()
                                call requests write access.

        truncate(2)
                [ETXTBSY] The file is a pure procedure (shared
                                text) file that is being executed.

Which all say pretty much the same thing--you can't write something being
executed, and you can't execute something that's open (assuming in both
cases that it's a shared text file).

Without knowing what's running on the system it's difficult to say whether
it's an attack, but I've certainly never seen it coming up often.

Probably ps and fstat (or doing some tracing with ktrace) are your best
bets for working out what's going on.

Tony 

-- 
Tony Landells					<ahl@austclear.com.au>
Senior Network Engineer				Ph:  +61 3 9677 9319
Australian Clearing Services Pty Ltd		Fax: +61 3 9677 9355
Level 4, Rialto North Tower
525 Collins Street
Melbourne VIC 3000
Australia
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message