Weird strace of #! python script

Eugene Syromyatnikov evgsyr at
Mon Mar 14 22:23:28 UTC 2022

On Mon, Mar 14, 2022 at 10:37 PM Dan Stromberg <drsalists at> wrote:
> So anyway, I'm strace'ing a #!/usr/bin/python2 script.
> I expected to see an exec of /usr/bin/python2, but I don't.  I just see an
> exec of /tmp/t.

Why, exactly, did you expect that? strace doesn't parse binary
supplied as a command (or runs a shell to do so), it just executes it
(as stated in the NOTES section in the man page[0]). The parsing of
the interpreter is performed in-kernel by the binfmt_script loader[1]
(along with all its limitations like interpreter command line size and
single argument only).

> Was this some sort of security feature I never heard about?  I'm tracing a
> very simple time.sleep(10) here, but the same thing is (not) happening in a
> larger script that I need to track down a bug in.

Is that script run in a shell? That would explain it.

> Is there a way I can coax Linux and/or strace to show all the exec's, like
> they used to?

All executed execve() calls are shown.

> what else is missing from the strace report.

syscalls performed by the child process before the first
execv/execve/execveat call are not shown, but they usually not
pertaining to the trace, see TCB_HIDE_LOG/hide_log() usage[2][3].


Eugene Syromyatnikov
mailto:evgsyr at
xmpp:esyr at jabber.{ru|org}

More information about the Strace-devel mailing list