fchownat¶
Intro¶
fchownat - changes the ownership and group of a given file.
Description¶
This syscall allows for the changing of the ownership and group of a given
file. It works by specifying the file by its name or by its file descriptor
(dirfd
). It takes an additional argument flags
, with which we can specify
if the file should be followed if it is a symbolic link (AT_SYMLINK_NOFOLLOW
flag) and if the ancestor directories should be created if they don't
already exist (AT_CREATE
).
Arguments¶
dirfd
:int
[K] - dirfd is the file descriptor of a directory used to find the initial pathname. It can be set toAT_FDCWD
to specify using the current directory. It must refer to a directory.pathname
:const char*
[U] - pathname is the given file name. It should be an absolute path, relative to the directory given in dirfd.owner
:uid_t
[K] - owner is the given UID for the owner of the file. It will have the given owner's group and permissions.group
:gid_t
[K] - group is the given GID for the group of the file. It will have the given owner's group and permissions.flags
:int
[K] - flags is used to specify if the path should be followed if it is a symbolic link (AT_SYMLINK_NOFOLLOW
flag) and if the ancestor directories should be created if they don't already exist (AT_CREATE
).
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
do_fchownat¶
Type¶
Kprobe + Kretprobe
Purpose¶
To capture syscall arguments made to fchownat.
Example Use Case¶
One example use case could be to capture events when a certain user is changing the ownership of a file.
Issues¶
It is possible for this syscall to be vulnerable to a race condition when AT_SYMLINK_NOFOLLOW is used as a flag and the target file is modified between the time that fchownat reads the target stat and the time that it attempts to perform the chown.
Related Events¶
openat
- to open a file given a directory descriptor and a path
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.