Checklist before starting to submit this bug report

I confirm that:

• I am submitting a bug report! :)
• I have tested this with the latest stable Snoopy version
• I have checked the FAQ.
• I have read Snoopy's documentation here and here.
• I have searched Snoopy issues for an existing issue that matches my problem, and found none.

Issue description - Environment basics

Snoopy config file

[snoopy]
error_logging = no
filter_chain = ""
message_format = "[login:%{login} ssh:(%{env:SSH_CONNECTION}) sid:%{sid} tty:%{tty} (%{tty_uid}/%{tty_username}) uid:%{username}(%{uid})/%{eusername}(%{euid}) cwd:%{cwd}
filename:%{filename}]: %{cmdline}"
output = devlog
syslog_facility = LOG_AUTHPRIV
syslog_ident = "snoopy"
syslog_level = LOG_INFO

Bug description

CSF (v14.10) plugin in DirectAdmin segfaults when Snoopy (2.4.14) is enabled. CSF seems to function good otherwise.

Bug reproduction steps

Install CentOS 7
Install DirectAdmin
Install CSF
Access "ConfigServer Security & Firewall" under "Extra Features" in DirectAdmin

Expected result

The CSF page is displayed.

Actual result

An empty page is displayed. Log shows:
csf[31760]: segfault at 0 ip 00007fc0d9ac7561 sp 00007fff6b481990 error 4 in libsnoopy.so.0.0.0[7fc0d9ac1000+b000]

If there is anything I can do to help with this issue I would be glad to help. I'm not a developer so I can't send a PR but can help and give access to a server with this setup if that helps.

Hey @yavuzaydin, thanks for reporting this.

Mind if I ask you to test two things before I get involved further?

1. If you change the message_format value to a "static string", does the segfault still occur? If not, can you narrow it down to which data source is causing this?
2. Unrelated to #1 above, if you build Snoopy with threading support enabled (./configure --enable-thread-safety ...), does the error go away?

Thanks for the feedback,
b.

@bostjan thank you for your response.

1. the data source causing this is cmdline
2. I built from source with ./configure --enable-thread-safety --sysconfdir=/etc --enable-filtering --enable-config-file, unfortunately still the same. I restarted the directadmin service after installing the new version, that should be sufficient right? Is a restart absolutely necessary?

I don't think the restart is necessary once Snoopy is preloaded into your (now) running program, but it can't hurt to weed out any weird side effects of the "in-flight" replacement.

@yavuzaydin, does this method of bug reproduction work in a containerized environment (Docker, LXC), or do I have to use a dedicated VM to replicate this?

As expected a reboot didn't change anything.

@bostjan I don't have any containerized environment but I could provide you with access to a test VPS if you wish, just let me know.

@yavuzaydin, that'd really help cutting down the time to analyse this issue. Can you reach out to me via email (you can find it in Snoopy's git history) and we'll sync how to transfer the credentials?

Thanks!

@bostjan I have sent you the details of the server by mail. Let me know if I can assist you with anything else.

@yavuzaydin thank you for providing the infrastructure/environment to investigate this issue. Here's a quick recap:

DirectAdmin (or whatever they are using as runtime - Go, maybe?) calls execve() with a NULL argv argument, which is contrary to the convention (see man execve for details) that says "empty" argv (= when executing another program without any arguments) should not be NULL, but instead it should contain the called program's name as argv[0] and NULL as argv[1].

The fix (#202) provides a workaround for this unconventional behaviour.

The fix has been released as Snoopy version 2.4.15.

PS: Ignore the build/install errors for v2.4.15 shown in Snoopy's README.md, that's just CI (actually just the OpenSUSE tumbleweed portion of it) acting up.