Skip to content

chown16

Intro

chown16 - System call to change the owner and group of a given file pathname.

Description

The chown16 syscall is a system call used to change the owner and group of a given file pathname. It is an important system call because it allows the owner of a file to control who can read, write and perform operations with said file. Furthermore, it also is important for administrators to be able to set permissions for sensitive costs.

There are some edge-cases to be considered when using this syscall, such as race conditions, since changes can be made between the check time and the use time, causing inconsistent results. Furthermore, since old_uid_t and old_gid_t are used as parameters, there can be issues with overflows when dealing with high IDs numbers.

Arguments

  • pathname:const char*[K] - Pathname of the file to change the owner and group.
  • owner:old_uid_t[K] - UID (owner ID) to set as owner of the file.
  • group:old_gid_t[K] - GID (group ID) to set as group of the file.

Available Tags

  • K - Originated from kernel-space.

Hooks

sys_chown16

Type

Kprobe.

Purpose

To track every time chown16 is called, as well as its arguments and return value.

Example Use Case

A system administrator can use chown16 in order to give access to a group of users to a restricted file, by setting a given group or owner for it.

Issues

There is a vulnerability known as TOCTOU (time-of-check to time-of-use), which can cause a race condition allowing execution of malicious code.

  • chown - similar system call, but with 32-bit UID and GID parameters.
  • fchown - system call to change the owner and group of a given file descriptor.
  • lchown - system call to change the owner and group of a given symbolic link pathname.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.