Hello All - I am trying to determine the actual logged in user ID for the process/thread that is making a syscall from within a dtrace syscall probe handler. If I use the dtrace variable curpsinfo->pr_uid or curpsinfo->pr_euid I can obtain the correct UID as long as that user is not SUed to another user or root. If the user is SUed to root, then both the pr_uid and pr_euid values are 0 (for root).
Can someone please help me find another place in some dtrace or kernel data structure that there is access to that would contain the actual logged-in user ID? Maybe somewhere in an audit data structure or something?