unlinkat¶
Intro¶
unlinkat - system call that deletes a file name, relative to an open directory
Description¶
unlinkat is a system call that deletes a file name, relative to an open directory. The purpose of unlinkat is to provide a more secure and robust way to delete a file than the remove() syscall, as it allows users to avoid race conditions while deleting a file.
Unlinkat also allows a user to delete links without traversing whole directory hierarchies, by providing the location of the file (directory) and its name as two separate arguments.
Unlinkat also provides the option to not traverse symbolic links with the O_NOFOLLOW flag. This allows users to delete symbolic links more securely.
Arguments¶
dirfd
:int
[K] - an open file descriptor referring to a directory.pathname
:const char*
[KU] - a string containing the name of the file to be deleted, relative to the directory referred to by dirfd.flags
:int
[K] - optional flags that can include O_NOFOLLOW, AT_REMOVEDIR, or AT_SYMLINK_NOFOLLOW.
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
sys_unlinkat¶
Type¶
Tracepoint
Purpose¶
To monitor file deletions.
Example Use Case¶
Finding malicious file deletions.
Issues¶
unlinkat is vulnerable to TOCTOU (time of check, time of use) attacks if the O_NOFOLLOW flag is not included.
Related Events¶
unlink(), remove(), readlinkat(), openat()
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.