On Wednesday 02 May 2007 11:13, Robert Evans wrote:
> If I log in as a typical user and try "chown bob /etc/shadow" I don't get
> an event produced, however if I try "chmod 666 /etc/shadow" I do.
>
> What am I missing here?
A syscall. If I am on a i386 machine and I strace chmod root file.txt, I see
this:
chown32("file.txt", 0, -1) = 0
So, you would want to use chown32 instead of chown on i386 machines. On x86_64
the chown syscall is used.
-Steve
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
