fchownat - changes the ownership and group of a given file.
This syscall allows for the changing of the ownership and group of a given
file. It works by specifying the file by its name or by its file descriptor
dirfd). It takes an additional argument
flags, with which we can specify
if the file should be followed if it is a symbolic link (
flag) and if the ancestor directories should be created if they don't
already exist (
int[K] - dirfd is the file descriptor of a directory used to find the initial pathname. It can be set to
AT_FDCWDto specify using the current directory. It must refer to a directory.
const char*[U] - pathname is the given file name. It should be an absolute path, relative to the directory given in dirfd.
uid_t[K] - owner is the given UID for the owner of the file. It will have the given owner's group and permissions.
gid_t[K] - group is the given GID for the group of the file. It will have the given owner's group and permissions.
int[K] - flags is used to specify if the path should be followed if it is a symbolic link (
AT_SYMLINK_NOFOLLOWflag) and if the ancestor directories should be created if they don't already exist (
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Kprobe + Kretprobe
To capture syscall arguments made to fchownat.
Example Use Case¶
One example use case could be to capture events when a certain user is changing the ownership of a file.
It is possible for this syscall to be vulnerable to a race condition when AT_SYMLINK_NOFOLLOW is used as a flag and the target file is modified between the time that fchownat reads the target stat and the time that it attempts to perform the chown.
openat- to open a file given a directory descriptor and a path
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.