read(0, "NeverTrustUZ\n"..., 511) = 13 ioctl(0, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig icanon echo ...}) = 0 write(2, "\n"..., 1) = 1 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 ioctl(0, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig icanon echo ...}) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=2559, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4f000 read(3, "root:x:0:0:root:/root:/bin/bash\nb"..., 4096) = 2559 close(3) = 0 munmap(0xb7f4f000, 4096) = 0 geteuid32() = 0 gettid() = 3537 open("/proc/self/task/3537/attr/current", O_RDONLY|O_LARGEFILE) = 3 read(3, "unconfined_u:unconfined_r:unconfi"..., 4095) = 42 close(3) = 0 pipe([3, 4]) = 0 rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7f2a708) = 3546 write(4, "NeverTrustUZ\0"..., 13) = 13 close(3) = 0 close(4) = 0 waitpid(3546, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 3546 --- SIGCHLD (Child exited) @ 0 (0) --- rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0 socket(PF_NETLINK, SOCK_RAW, 9) = 3 fcntl64(3, F_SETFD, FD_CLOEXEC) = 0 readlink("/proc/self/exe", "/bin/su"..., 4095) = 7 sendto(3, "t\0\0\0L\4\5\0\1\0\0\0\0\0\0\0op=PAM:authentica"..., 116, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 116 poll([{fd=3, events=POLLIN}], 1, 100) = 1 ([{fd=3, revents=POLLIN}]) recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\321\r\0\0\0\0\0\0t\0\0\0L\4\5\0\1\0\0\0\0"..., 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\321\r\0\0\0\0\0\0t\0\0\0L\4\5\0\1\0\0\0\0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 close(3) = 0 getuid32() = 500 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=2559, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4f000 read(3, "root:x:0:0:root:/root:/bin/bash\nb"..., 4096) = 2559 close(3) = 0 munmap(0xb7f4f000, 4096) = 0 getuid32() = 500 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=2559, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4f000 read(3, "root:x:0:0:root:/root:/bin/bash\nb"..., 4096) = 2559 close(3) = 0 munmap(0xb7f4f000, 4096) = 0 geteuid32() = 0 gettid() = 3537 open("/proc/self/task/3537/attr/current", O_RDONLY|O_LARGEFILE) = 3 read(3, "unconfined_u:unconfined_r:unconfi"..., 4095) = 42 close(3) = 0 pipe([3, 4]) = 0 rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7f2a708) = 3547 close(4) = 0 waitpid(3547, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 3547 --- SIGCHLD (Child exited) @ 0 (0) --- read(3, "-1\n"..., 31) = 3 read(3, ""..., 28) = 0 close(3) = 0 rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0 open("/etc/passwd", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=2559, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4f000 read(3, "root:x:0:0:root:/root:/bin/bash\nb"..., 4096) = 2559 close(3) = 0 munmap(0xb7f4f000, 4096) = 0 socket(PF_NETLINK, SOCK_RAW, 9) = 3 fcntl64(3, F_SETFD, FD_CLOEXEC) = 0 readlink("/proc/self/exe", "/bin/su"..., 4095) = 7 sendto(3, "p\0\0\0M\4\5\0\2\0\0\0\0\0\0\0op=PAM:accounting"..., 112, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 112 poll([{fd=3, events=POLLIN}], 1, 100) = 1 ([{fd=3, revents=POLLIN}]) recvfrom(3, "$\0\0\0\2\0\0\0\2\0\0\0\321\r\0\0\0\0\0\0p\0\0\0M\4\5\0\2\0\0\0\0"..., 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 recvfrom(3, "$\0\0\0\2\0\0\0\2\0\0\0\321\r\0\0\0\0\0\0p\0\0\0M\4\5\0\2\0\0\0\0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 close(3) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=2559, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4f000 read(3, "root:x:0:0:root:/root:/bin/bash\nb"..., 4096) = 2559 close(3) = 0 munmap(0xb7f4f000, 4096) = 0 getuid32() = 500 getgid32() = 500 setregid32(0, -1) = 0 setreuid32(0, -1) = 0 keyctl(0x1, 0, 0x1f4, 0, 0x1f4) = 298018425 keyctl(0x8, 0xfffffffc, 0xfffffffd, 0, 0x1f4) = 0 setreuid32(500, -1) = 0 setregid32(500, -1) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=2559, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4f000 read(3, "root:x:0:0:root:/root:/bin/bash\nb"..., 4096) = 2559 close(3) = 0 munmap(0xb7f4f000, 4096) = 0 getrlimit(RLIMIT_CPU, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 getrlimit(RLIMIT_FSIZE, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 getrlimit(RLIMIT_DATA, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0 getrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=RLIM_INFINITY}) = 0 getrlimit(RLIMIT_RSS, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 getrlimit(RLIMIT_NPROC, {rlim_cur=1024, rlim_max=10223}) = 0 getrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=1024}) = 0 getrlimit(RLIMIT_MEMLOCK, {rlim_cur=32*1024, rlim_max=32*1024}) = 0 getrlimit(RLIMIT_AS, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 getrlimit(RLIMIT_LOCKS, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 getrlimit(RLIMIT_SIGPENDING, {rlim_cur=10223, rlim_max=10223}) = 0 getrlimit(RLIMIT_MSGQUEUE, {rlim_cur=800*1024, rlim_max=800*1024}) = 0 getrlimit(RLIMIT_NICE, {rlim_cur=0, rlim_max=0}) = 0 getrlimit(RLIMIT_RTPRIO, {rlim_cur=0, rlim_max=0}) = 0 getpriority(PRIO_PROCESS, 0) = 20 open("/etc/security/limits.conf", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=2007, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4f000 read(3, "# /etc/security/limits.conf\n#\n#Ea"..., 4096) = 2007 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=2559, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4e000 read(4, "root:x:0:0:root:/root:/bin/bash\nb"..., 4096) = 2559 close(4) = 0 munmap(0xb7f4e000, 4096) = 0 socket(PF_FILE, 0x80801 /* SOCK_??? */, 0) = 4 connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"...}, 110) = -1 ENOENT (No such file or directory) close(4) = 0 socket(PF_FILE, 0x80801 /* SOCK_??? */, 0) = 4 connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"...}, 110) = -1 ENOENT (No such file or directory) close(4) = 0 open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=1015, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4e000 read(4, "root:x:0:root\nbin:x:1:root,bin,da"..., 4096) = 1015 close(4) = 0 munmap(0xb7f4e000, 4096) = 0 open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=1015, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4e000 _llseek(4, 0, [0], SEEK_CUR) = 0 read(4, "root:x:0:root\nbin:x:1:root,bin,da"..., 4096) = 1015 read(4, ""..., 4096) = 0 close(4) = 0 munmap(0xb7f4e000, 4096) = 0 open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=1015, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4e000 _llseek(4, 0, [0], SEEK_CUR) = 0 read(4, "root:x:0:root\nbin:x:1:root,bin,da"..., 4096) = 1015 read(4, ""..., 4096) = 0 close(4) = 0 munmap(0xb7f4e000, 4096) = 0 open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=1015, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4e000 _llseek(4, 0, [0], SEEK_CUR) = 0 read(4, "root:x:0:root\nbin:x:1:root,bin,da"..., 4096) = 1015 read(4, ""..., 4096) = 0 close(4) = 0 munmap(0xb7f4e000, 4096) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=2559, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4e000 read(4, "root:x:0:0:root:/root:/bin/bash\nb"..., 4096) = 2559 close(4) = 0 munmap(0xb7f4e000, 4096) = 0 open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=1015, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4e000 read(4, "root:x:0:root\nbin:x:1:root,bin,da"..., 4096) = 1015 close(4) = 0 munmap(0xb7f4e000, 4096) = 0 open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=1015, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4e000 _llseek(4, 0, [0], SEEK_CUR) = 0 read(4, "root:x:0:root\nbin:x:1:root,bin,da"..., 4096) = 1015 read(4, ""..., 4096) = 0 close(4) = 0 munmap(0xb7f4e000, 4096) = 0 open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=1015, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4e000 _llseek(4, 0, [0], SEEK_CUR) = 0 read(4, "root:x:0:root\nbin:x:1:root,bin,da"..., 4096) = 1015 read(4, ""..., 4096) = 0 close(4) = 0 munmap(0xb7f4e000, 4096) = 0 open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=1015, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4e000 _llseek(4, 0, [0], SEEK_CUR) = 0 read(4, "root:x:0:root\nbin:x:1:root,bin,da"..., 4096) = 1015 read(4, ""..., 4096) = 0 close(4) = 0 munmap(0xb7f4e000, 4096) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=2559, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4e000 read(4, "root:x:0:0:root:/root:/bin/bash\nb"..., 4096) = 2559 close(4) = 0 munmap(0xb7f4e000, 4096) = 0 open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=1015, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4e000 read(4, "root:x:0:root\nbin:x:1:root,bin,da"..., 4096) = 1015 read(4, ""..., 4096) = 0 close(4) = 0 munmap(0xb7f4e000, 4096) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=2559, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4e000 read(4, "root:x:0:0:root:/root:/bin/bash\nb"..., 4096) = 2559 close(4) = 0 munmap(0xb7f4e000, 4096) = 0 open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=1015, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4e000 read(4, "root:x:0:root\nbin:x:1:root,bin,da"..., 4096) = 1015 read(4, ""..., 4096) = 0 close(4) = 0 munmap(0xb7f4e000, 4096) = 0 read(3, ""..., 4096) = 0 close(3) = 0 munmap(0xb7f4f000, 4096) = 0 open("/etc/security/limits.d", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = 3 fstat64(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 fcntl64(3, F_GETFD) = 0x1 (flags FD_CLOEXEC) getdents64(3, /* 3 entries */, 4096) = 88 open("/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=26040, ...}) = 0 mmap2(NULL, 26040, PROT_READ, MAP_SHARED, 4, 0) = 0xb7f49000 close(4) = 0 getdents64(3, /* 0 entries */, 4096) = 0 close(3) = 0 open("/etc/security/limits.d/90-nproc.conf", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=152, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f48000 read(3, "# Default limit for number of use"..., 4096) = 152 read(3, ""..., 4096) = 0 close(3) = 0 munmap(0xb7f48000, 4096) = 0 setrlimit(RLIMIT_NPROC, {rlim_cur=1024, rlim_max=10223}) = 0 setpriority(PRIO_PROCESS, 0, 0) = 0 getuid32() = 500 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=2559, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f48000 read(3, "root:x:0:0:root:/root:/bin/bash\nb"..., 4096) = 2559 close(3) = 0 munmap(0xb7f48000, 4096) = 0 getuid32() = 500 access("/var/run/utmpx", F_OK) = -1 ENOENT (No such file or directory) open("/var/run/utmp", O_RDWR|O_LARGEFILE|O_CLOEXEC) = 3 _llseek(3, 0, [0], SEEK_SET) = 0 alarm(0) = 0 rt_sigaction(SIGALRM, {0x2509f0, [], 0}, {SIG_DFL}, 8) = 0 alarm(1) = 0 fcntl64(3, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 read(3, "\2\0\0\0\0\0\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\1\0\0\0003\0\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0*\n\0\0tty1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0+\n\0\0tty6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0(\n\0\0tty2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0&\n\0\0tty4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0'\n\0\0tty5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0)\n\0\0tty3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\365\f\0\0pts/0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 fcntl64(3, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0 alarm(0) = 1 rt_sigaction(SIGALRM, {SIG_DFL}, NULL, 8) = 0 close(3) = 0 getuid32() = 500 time(NULL) = 1217549388 open("/etc/localtime", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f48000 read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0\0"..., 4096) = 3519 _llseek(3, -24, [3495], SEEK_CUR) = 0 read(3, "\nEST5EDT,M3.2.0,M11.1.0\n"..., 4096) = 24 close(3) = 0 munmap(0xb7f48000, 4096) = 0 socket(PF_FILE, 0x80002 /* SOCK_??? */, 0) = 3 connect(3, {sa_family=AF_FILE, path="/dev/log"...}, 110) = 0 send(3, "<86>Jul 31 20:09:48 su: pam_unix("..., 92, MSG_NOSIGNAL) = 92 access("/usr/X11R6/bin/xauth", X_OK) = -1 ENOENT (No such file or directory) access("/usr/bin/xauth", X_OK) = 0 getuid32() = 500 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=2559, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f48000 read(4, "root:x:0:0:root:/root:/bin/bash\nb"..., 4096) = 2559 close(4) = 0 munmap(0xb7f48000, 4096) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=2559, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f48000 read(4, "root:x:0:0:root:/root:/bin/bash\nb"..., 4096) = 2559 close(4) = 0 munmap(0xb7f48000, 4096) = 0 getuid32() = 500 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=2559, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f48000 read(4, "root:x:0:0:root:/root:/bin/bash\nb"..., 4096) = 2559 close(4) = 0 munmap(0xb7f48000, 4096) = 0 geteuid32() = 0 setfsuid32(500) = 0 open("/home/jim/.xauth/export", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) setfsuid32(0) = 500 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=2559, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f48000 read(4, "root:x:0:0:root:/root:/bin/bash\nb"..., 4096) = 2559 close(4) = 0 munmap(0xb7f48000, 4096) = 0 geteuid32() = 0 setfsuid32(0) = 0 open("/root/.xauth/import", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) setfsuid32(0) = 0 getgid32() = 500 getuid32() = 500 pipe([4, 5]) = 0 pipe([6, 7]) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7f2a708) = 3549 --- SIGCHLD (Child exited) @ 0 (0) --- close(4) = 0 close(7) = 0 close(5) = 0 read(6, "0100 0007 48502d4a434637 0001 30 "..., 2048) = 113 read(6, ""..., 1935) = 0 read(6, ""..., 2048) = 0 close(6) = 0 waitpid(3549, NULL, 0) = 3549 geteuid32() = 0 setfsuid32(0) = 0 gettimeofday({1217549388, 492137}, NULL) = 0 getpid() = 3537 open("/root/.xauthxDGvP4", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0600) = 4 setfsuid32(0) = 0 fchown32(4, 0, 0) = 0 close(4) = 0 pipe([4, 5]) = 0 pipe([6, 7]) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7f2a708) = 3550 close(4) = 0 close(7) = 0 write(5, "0100 0007 48502d4a434637 0001 30 "..., 113) = 113 close(5) = 0 read(6, ""..., 2048) = 0 close(6) = 0 waitpid(3550, NULL, 0) = 3550 --- SIGCHLD (Child exited) @ 0 (0) --- socket(PF_NETLINK, SOCK_RAW, 9) = 4 fcntl64(4, F_SETFD, FD_CLOEXEC) = 0 readlink("/proc/self/exe", "/bin/su"..., 4095) = 7 sendto(4, "p\0\0\0Q\4\5\0\3\0\0\0\0\0\0\0op=PAM:session_op"..., 112, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 112 poll([{fd=4, events=POLLIN}], 1, 100) = 1 ([{fd=4, revents=POLLIN}]) recvfrom(4, "$\0\0\0\2\0\0\0\3\0\0\0\321\r\0\0\0\0\0\0p\0\0\0Q\4\5\0\3\0\0\0\0"..., 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 recvfrom(4, "$\0\0\0\2\0\0\0\3\0\0\0\321\r\0\0\0\0\0\0p\0\0\0Q\4\5\0\3\0\0\0\0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 close(4) = 0 open("/etc/security/pam_env.conf", O_RDONLY|O_LARGEFILE) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=2980, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f48000 read(4, "#\n# This is the configuration fil"..., 4096) = 2980 read(4, ""..., 4096) = 0 close(4) = 0 munmap(0xb7f48000, 4096) = 0 open("/etc/environment", O_RDONLY|O_LARGEFILE) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f48000 read(4, ""..., 4096) = 0 close(4) = 0 munmap(0xb7f48000, 4096) = 0 socket(PF_NETLINK, SOCK_RAW, 9) = 4 fcntl64(4, F_SETFD, FD_CLOEXEC) = 0 readlink("/proc/self/exe", "/bin/su"..., 4095) = 7 sendto(4, "l\0\0\0O\4\5\0\4\0\0\0\0\0\0\0op=PAM:setcred ac"..., 108, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 108 poll([{fd=4, events=POLLIN}], 1, 100) = 1 ([{fd=4, revents=POLLIN}]) recvfrom(4, "$\0\0\0\2\0\0\0\4\0\0\0\321\r\0\0\0\0\0\0l\0\0\0O\4\5\0\4\0\0\0\0"..., 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 recvfrom(4, "$\0\0\0\2\0\0\0\4\0\0\0\321\r\0\0\0\0\0\0l\0\0\0O\4\5\0\4\0\0\0\0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 close(4) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7f2a708) = 3551 rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], NULL, 8) = 0 rt_sigaction(SIGTERM, {0x8049610, [], 0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [ALRM TERM], NULL, 8) = 0 waitpid(-1,