2 Replies Latest reply: Nov 6, 2009 1:00 PM by 807559 RSS

    How do I determine logged-in user ID from syscall probe ?

    807559
      Hello All - I am trying to determine the actual logged in user ID for the process/thread that is making a syscall from within a dtrace syscall probe handler. If I use the dtrace variable curpsinfo->pr_uid or curpsinfo->pr_euid I can obtain the correct UID as long as that user is not SUed to another user or root. If the user is SUed to root, then both the pr_uid and pr_euid values are 0 (for root).

      Can someone please help me find another place in some dtrace or kernel data structure that there is access to that would contain the actual logged-in user ID? Maybe somewhere in an audit data structure or something?

      Any help is greatly appreciated !! Thanks!

      Edited by: AndyFanton on Oct 6, 2009 3:31 PM