site_archiver@lists.apple.com Delivered-To: Darwin-kernel@lists.apple.com Here is the BSM audit record from a PowerPC showing the execve: -- Terry _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... On May 21, 2007, at 10:16 PM, Todd Heberlein wrote: I apologize if this is a bonehead question, but why is the Mac doing an execve() on "/dev/null"? header,123,1,execve(2),0,Mon May 21 09:30:23 2007, + 431 msec path,/dev/null path,/dev/null attribute,20666,root,wheel,46807492,0,50331650 subject,heberlei,heberlei,staff,heberlei,staff, 452,384,50331650,0.0.0.0 return,success,0 trailer,123 It's not executing it, it's opening /dev/null so that fd's 0, 1, and 2 are allocated for you, in case you are running an SUID program and forgot to be as careful with your coding as you should have been. If you look at the Darwin sources, you will see this happening in xnu.bsd/kern_exec.c in the function exec_handle_sugid(). This email sent to site_archiver@lists.apple.com