Skip to content

utimes

Intro

utimes - System call to change the access and modification times of a given file or file descriptor.

Description

utimes is a syscall used to set the access and or modification time of file filename or file descriptor fd to the user specified value(s) in the times argument. If the times argument is null, the access and modification time of the given file or file descriptor will be set to the current time.

The utimes system call is especially useful when creating a backup of a file or when trying to reset the times of a file in order to keep it up to date with latest modifications. There are some caveats to using utimes, however. utimes will only work on files that are owned by the user, and it is vulnerable to TOCTOU (time of check, time of use) attacks, as the file or file descriptor may be changed between the time of checking and the time of updating.

Arguments

  • filename:char*[K, U, OPT] - Pointer to a null-terminated filename string.
  • times:struct timeval*[K, U] - Pointer to an array of two struct timeval objects. The first object contains the desired access time, and the second object contains the desired modification time.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_utimes

Type

Kprobes + Tracepoints

Purpose

To monitor changes to the files access and modification times.

open_exec

Type

Kprobes

Purpose

To monitor usage of the utimes syscall.

Example Use Case

A backup program that wishes to keep the creation and modification dates of the backed up files up to date without altering the content of the original file.

Issues

utimes is not supported on all platforms, including Linux on PowerPC and Solaris.

  • open
  • access
  • stat

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.