Currently even if root ktraces an unprivileged process that execs a sguid executable, then tracing aborted at that point. I think that that happens because wrong credentials are checked at that point. What do you think about the following patch? commit 956a80783bc39162b1d64383188c5037f9767413 Author: Andriy Gapon <avg@icyb.net.ua> Date: Sat Sep 22 18:17:46 2012 +0300 kern_exec: check p_tracecred instead of p_cred ... when deciding whether to continue tracing across suid/sgid exec diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 90f7311..8d62c1e 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -694,7 +694,8 @@ interpret: setsugid(p); #ifdef KTRACE - if (priv_check_cred(oldcred, PRIV_DEBUG_DIFFCRED, 0)) + if (p->p_tracecred != NULL && + priv_check_cred(p->p_tracecred, PRIV_DEBUG_DIFFCRED, 0)) ktrprocexec(p, &tracecred, &tracevp); #endif /* -- Andriy Gapon