Files – How to Redirect a File Descriptor Before Execution

file-descriptorsfilenamesfilesprocess

I know that I can change the file a program writes to by interrupting the process in gdb, closing using the file descriptor and then re-opening with the file name I want. Is there a way to do the same thing at run time?

For example I know that the file I want to change uses file descriptor 5 so I tried

./myexe 5>/dev/null

But all that does is change things so the file of interest is on fd=6.

Best Answer

When a program opens a file, that file ends up on a file descriptor that's free at the time. By opening a file before the program starts, you're only making one more file descriptor busy, so the file you're interested in might end up on a different descriptor. If you want the program to open a different file, you'll need to modify the open operation when it takes place, or intervene afterwards.

One way to modify the operation is to wedge some code between the program and the system library, by preloading a small piece of code. This assumes that the program is a dynamically linked binary, or a script executed by a dynamically linked binary (i.e. it isn't statically linked). Write the following code to a file override_fopen.c:

#include <dlfcn.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#ifndef FROM
#error "Define FROM to the path to override in double quotes, e.g. -DFROM='\"/bad\"'"
#endif
#ifndef TO
#error "Define TO to the path to use instead in double quotes, e.g. -DFROM='\"/good\"'"
#endif
FILE *fopen(const char *path, const char *mode) {
    void *(*original_fopen)(const char *, const char *) = dlsym(RTLD_NEXT, "fopen");
    if (!strcmp(path, FROM)) {
        path = TO;
    }
    return original_fopen(path, mode);
}
int open(const char *path, int oflag, ...) {
    int (*original_open)(const char *, int, ...) = dlsym(RTLD_NEXT, "open");
    int ret;
    va_list args;
    if (!strcmp(path, FROM)) {
        path = TO;
    }
    va_start(args, oflag);
    if (oflag & O_CREAT) {
        ret = original_open(path, oflag, (mode_t)va_arg(args, mode_t));
    } else {
        ret = original_open(path, oflag);
    }
    va_end(args);
    return ret;
}

Compile with the following command (that's for Linux, other Unix variants may require different options). Note the quotes around the path you want to override.

gcc -DFROM='"/some/path"' -DTO='"/dev/null"' -D_GNU_SOURCE -O -Wall -fPIC -shared -o override_fopen.so override_fopen.c -ldl

Run the program as follows (on OSX, use DYLD_PRELOAD instead of LD_PRELOAD):

LD_PRELOAD=./override_fopen.so ./myexe

This only works if the program is calling the fopen or open library function. If it calls some other function, you'll need to override that one. You can use ltrace to see what library calls the program makes.

Related Solutions

Linux – What happens when I close() a file descriptor

The file descriptor 1 translates to the stdout FILE structure in the Kernel's Open Files Table.

This is a misunderstanding. The kernel's file table has nothing whatsoever to do with user-space file structures.

In any event, the kernel has two levels of indirection. There is the internal structure that represents the file itself, which is reference counted. There is an "open file description" that is reference counted. And then there is the file handle, which is not reference counted. The file structure points the way to the inode itself. The open file description contains things like the open mode and file pointer.

When you call close, you always close the file handle. When a file handle is closed, the reference count on its open file description is decremented. If it goes to zero, the open file description is also released and the reference count on the file itself is decremented. Only if that goes to zero is the kernel's file structure freed.

There is no chance for one process to release a resource another process is using because shared resources are reference counted.

Linux – Safest way to force close a file descriptor

Fiddling with a process with gdb is almost never safe though may be necessary if there's some emergency and the process needs to stay open and all the risks and code involved is understood.

Most often I would simply terminate the process, though some cases may be different and could depend on the environment, who owns the relevant systems and process involved, what the process is doing, whether there is documentation on "okay to kill it" or "no, contact so-and-so first", etc. These details may need to be worked out in a post-mortem meeting once the dust settles. If there is a planned migration it would be good in advance to check whether any processes have problematic file descriptors open so those can be dealt with in a non-emergency setting (cron jobs or other scheduled tasks that run only in the wee hours when migrations may be done are easily missed if you check only during daytime hours).

Write-only versus Read versus Read-Write

Your idea to reopen the file descriptor O_WRONLY is problematic as not all file descriptors are write-only. John Viega and Matt Messier take a more nuanced approach in the "Secure Programming Cookbook for C and C++" book and handle standard input differently than standard out and standard error (p. 25, "Managing File Descriptors Safely"):

static int open_devnull(int fd) {
  FILE *f = 0;

  if (!fd) f = freopen(_PATH_DEVNULL, "rb", stdin);
  else if (fd == 1) f = freopen(_PATH_DEVNULL, "wb", stdout);
  else if (fd == 2) f = freopen(_PATH_DEVNULL, "wb", stderr);
  return (f && fileno(f) == fd);
}

In the gdb case the descriptor (or also FILE * handle) would need to be checked whether it is read-only or read-write or write-only and an appropriate replacement opened on /dev/null. If not, a once read-only handle that is now write-only will cause needless errors should the process attempt to read from that.

What Could Go Wrong?

How exactly a process behaves when its file descriptors (and likely also FILE * handles) are fiddled behind the scenes will depend on the process and will vary from "no big deal" should that descriptor never be used to "nightmare mode" where there is now a corrupt file somewhere due to unflushed data, no file-was-properly-closed indicator, or some other unanticipated problem.

For FILE * handles the addition of a fflush(3) call before closing the handle may help, or may cause double buffering or some other issue; this is one of the several hazards of making random calls in gdb without knowing exactly what the source code does and expects. Software may also have additional layers of complexity built on top of fd descriptors or the FILE * handles that may also need to be dealt with. Monkey patching the code could turn into a monkey wrench easily enough.

Summary

Sending a process a standard terminate signal should give it a chance to properly close out resources, same as when a system shuts down normally. Fiddling with a process with gdb will likely not properly close things out, and could make the situation very much worse.