Weird strace of #! python script
Eugene Syromyatnikov
evgsyr at gmail.com
Mon Mar 14 22:23:28 UTC 2022
On Mon, Mar 14, 2022 at 10:37 PM Dan Stromberg <drsalists at gmail.com> wrote:
> So anyway, I'm strace'ing a #!/usr/bin/python2 script.
>
> I expected to see an exec of /usr/bin/python2, but I don't. I just see an
> exec of /tmp/t.
Why, exactly, did you expect that? strace doesn't parse binary
supplied as a command (or runs a shell to do so), it just executes it
(as stated in the NOTES section in the man page[0]). The parsing of
the interpreter is performed in-kernel by the binfmt_script loader[1]
(along with all its limitations like interpreter command line size and
single argument only).
> Was this some sort of security feature I never heard about? I'm tracing a
> very simple time.sleep(10) here, but the same thing is (not) happening in a
> larger script that I need to track down a bug in.
Is that script run in a shell? That would explain it.
> Is there a way I can coax Linux and/or strace to show all the exec's, like
> they used to?
All executed execve() calls are shown.
> what else is missing from the strace report.
syscalls performed by the child process before the first
execv/execve/execveat call are not shown, but they usually not
pertaining to the trace, see TCB_HIDE_LOG/hide_log() usage[2][3].
[0] https://gitlab.com/strace/strace/-/blob/v5.10/strace.1.in#L1641
[1] https://elixir.bootlin.com/linux/v5.16/source/fs/binfmt_script.c#L34
[2] https://gitlab.com/strace/strace/-/blob/v5.16/src/strace.c#L3116
[3] https://gitlab.com/strace/strace/-/blob/v5.16/src/syscall.c#L634
--
Eugene Syromyatnikov
mailto:evgsyr at gmail.com
xmpp:esyr at jabber.{ru|org}
More information about the Strace-devel
mailing list