13

Is there a way to find out the origin of a signal sent in Red Hat Enterprise Linux 5 (SIGTERM etc.)? I'm regularly trapping a TERM in an application and I have no idea where it is coming from.

user27451
  • 1,151
  • 2
  • 10
  • 14

4 Answers4

14

The man page for sigaction(2) suggests that the PID of the signal sender is available in the siginfo_t structure passed to your signal handler. This obviously requires that you use sigaction().

From the man page:

The sigaction structure is defined as something like:

   struct sigaction {
       void     (*sa_handler)(int);
       void     (*sa_sigaction)(int, siginfo_t *, void *);
       sigset_t   sa_mask;
       int        sa_flags;
       void     (*sa_restorer)(void);
   };

And the siginfo_t structure looks like this:

   siginfo_t {
       int      si_signo;    /* Signal number */
       int      si_errno;    /* An errno value */
       int      si_code;     /* Signal code */
       int      si_trapno;   /* Trap number that caused
                                hardware-generated signal
                                (unused on most architectures) */
       pid_t    si_pid;      /* Sending process ID */
       uid_t    si_uid;      /* Real user ID of sending process */
       int      si_status;   /* Exit value or signal */
       clock_t  si_utime;    /* User time consumed */
       clock_t  si_stime;    /* System time consumed */
       sigval_t si_value;    /* Signal value */
       int      si_int;      /* POSIX.1b signal */
       void    *si_ptr;      /* POSIX.1b signal */
       int      si_overrun;  /* Timer overrun count; POSIX.1b timers */
       int      si_timerid;  /* Timer ID; POSIX.1b timers */
       void    *si_addr;     /* Memory location which caused fault */
       int      si_band;     /* Band event */
       int      si_fd;       /* File descriptor */
   }
larsks
  • 41,276
  • 13
  • 117
  • 170
  • Thanks for the answer, didn't expect so many details. I am using Java service wrapper, and when set to "debug" it will print something like this: Signal trapped. Details: signal number=15 (SIGTERM), source="kill, sigsend or raise" signal generated by PID: 2194 (Session PID: 2164), UID: 1002 (alfresco) I only found out after googling for "si_pid" and finding the wrapper unix c source. :-) – user27451 Dec 16 '09 at 17:37
1

You can trace signals using systemtap. Here is a simple example

https://sourceware.org/systemtap/examples/lwtools/killsnoop-nd.stp

jorel
  • 11
  • 1
1

On platforms with DTrace (OS X, Solaris, …others?) you can use it with a probe like this to log the information you're after:

sudo dtrace -n 'proc:::signal-send { printf("Process %d (%s by UID %d) sending signal %d to pid=%d\n",pid,execname,uid,args[2],args[1]->pr_pid); }'

I based this on a script found at the bottom of http://www.brendangregg.com/DTrace/dtrace_oneliners.txt plus some additional "relevant variable names" tips at https://stackoverflow.com/a/10465606/179583, and seems to work under some basic testing. Now, if only my process would unexpectedly die again! ;-)

Community
  • 1
natevw
  • 133
  • 1
  • 1
  • 7
  • 1
    For other platforms there's `strace` which serves the same purpose if I'm not mistaken. I was able to trace the signals received by a process by following [this article](https://www.ibm.com/developerworks/community/blogs/aimsupport/entry/Finding_the_source_of_signals_on_Linux_with_strace_auditd_or_Systemtap?lang=en). – Aaron Aug 24 '17 at 09:47
-2

No,you cant know who is sending a signal.

sntg
  • 1,424
  • 11
  • 15