Skip to content

fchownat

Intro

fchownat - changes the ownership and group of a given file.

Description

This syscall allows for the changing of the ownership and group of a given file. It works by specifying the file by its name or by its file descriptor (dirfd). It takes an additional argument flags, with which we can specify if the file should be followed if it is a symbolic link (AT_SYMLINK_NOFOLLOW flag) and if the ancestor directories should be created if they don't already exist (AT_CREATE).

Arguments

  • dirfd:int[K] - dirfd is the file descriptor of a directory used to find the initial pathname. It can be set to AT_FDCWD to specify using the current directory. It must refer to a directory.
  • pathname:const char*[U] - pathname is the given file name. It should be an absolute path, relative to the directory given in dirfd.
  • owner:uid_t[K] - owner is the given UID for the owner of the file. It will have the given owner's group and permissions.
  • group:gid_t[K] - group is the given GID for the group of the file. It will have the given owner's group and permissions.
  • flags:int[K] - flags is used to specify if the path should be followed if it is a symbolic link (AT_SYMLINK_NOFOLLOW flag) and if the ancestor directories should be created if they don't already exist (AT_CREATE).

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

do_fchownat

Type

Kprobe + Kretprobe

Purpose

To capture syscall arguments made to fchownat.

Example Use Case

One example use case could be to capture events when a certain user is changing the ownership of a file.

Issues

It is possible for this syscall to be vulnerable to a race condition when AT_SYMLINK_NOFOLLOW is used as a flag and the target file is modified between the time that fchownat reads the target stat and the time that it attempts to perform the chown.

  • openat - to open a file given a directory descriptor and a path

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.