Skip to content

fchmodat

Intro

fchmodat - change permissions of a file in a given directory

Description

The fchmodat system call is used to change the file mode (file-permission bits) of a given file relative to a directory file descriptor. The fchmodat takes four arguments: - A directory file descriptor (dirfd) - A relative pathname of the file to be modified (pathname) - An octal mode value corresponding to the desired file permission bits - A flag (flags) indicating whether the file permission should follow symlinks or not

The mode argument is a set of permission bits defined by POSIX and assigns read, write and execute permissions to the file's owner, file's group and other users respectively. The flags argument allows the caller to specify whether the file permission should follow symbolic links or not.

Arguments

  • dirfd: int[K] - The directory file descriptor.
  • pathname: const char*[K] - The relative pathname of the file to be modified.
  • mode: mode_t[K] - An octal number containing the desired permission bits for the file.
  • flags: int[K] - Flag specifying whether the file permission should follow symlinks or not.

Available Tags

  • K - Originated from kernel-space.

Hooks

fchmodat_common

Type

Kprobes

Purpose

Monitor changes to file permissions in a given directory.

Example Use Case

An application that needs to audit changes in file system permissions in a given directory. By hooking the fchmodat system call, changes in the file permissions can be monitored in real-time and useful information such as the process ID that initiated the changes can be quickly extracted.

Issues

Since the pathname argument is a relative pathname, it is vulnerable to the TOCTOU (Time-of-check, Time-of-use) bug and the behavior is undefined if a file described by the pathname is changed after the system call is initiated.

  • fchmod - change permissions of a file by its pathname.
  • umask - Set file mode creation mask.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.