Skip to content

utime

Intro

utime - changes file last access and modification times.

Description

The utime() system call changes the access and modification times of the inode specified by filename. The atime, mtime, and ctime arguments correspond to the values for the access, modification and inode change times respectively. If times is NULL, the access and modification times of the file are set to the current time.

When utime is called from userspace, two types of privileges can be exercised: * The owner of the file can call utime, and it will set the file's access and modification times to the current time. * The process must have root privileges to be able to change the times to a specified value other than the current time.

utime is vulnerable to the Time Of Check Time Of Use (TOCTOU) race condition, where an attacker could modify the file after it has been checked but before it has been modified.

Arguments

  • filename:const char*[K] - Path name of the file whose access and modification times are being modified.
  • times:const struct utimbuf*[K] - Specifies new access and/or modification time. If NULL, the access and modification times of the file are set to the current time.

Available Tags

  • K - Originated from kernel-space.

Hooks

do_utimes

Type

Tracepoint

Purpose

This kernel function is typically the entry point for the utime syscall, so it was hooked to capture request for this syscall.

Example Use Case

A system administrator may want to use utime to reset the modification and/or access times on a set of files in response to changing file access laws.

Issues

A common TOCTOU race condition when using utime can be avoided by using the utimensat() syscall.

utimensat, futimens, utimes, futimesat

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.