Got it! So when I want to figure out how to trace something, the recommended
course of action is do a strace on the operation, and look for a good syscall to
tag...
Bob
Steve Grubb wrote:
On Wednesday 02 May 2007 11:13, Robert Evans wrote:
If I log in as a typical user and try "chown bob /etc/shadow" I don't get
an event produced, however if I try "chmod 666 /etc/shadow" I do.
What am I missing here?
A syscall. If I am on a i386 machine and I strace chmod root file.txt, I see
this:
chown32("file.txt", 0, -1) = 0
So, you would want to use chown32 instead of chown on i386 machines. On x86_64
the chown syscall is used.
-Steve
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
