utimes - System call to change the access and modification times of a given file or file descriptor.
utimes is a syscall used to set the access and or modification time of file
filename or file descriptor
fd to the user specified value(s) in the
times argument. If the
times argument is null, the access and modification time of the given file or file descriptor will be set to the current time.
utimes system call is especially useful when creating a backup of a file or when trying to reset the times of a file in order to keep it up to date with latest modifications. There are some caveats to using
utimes will only work on files that are owned by the user, and it is vulnerable to TOCTOU (time of check, time of use) attacks, as the file or file descriptor may be changed between the time of checking and the time of updating.
char*[K, U, OPT] - Pointer to a null-terminated filename string.
struct timeval*[K, U] - Pointer to an array of two
struct timevalobjects. The first object contains the desired access time, and the second object contains the desired modification time.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Kprobes + Tracepoints
To monitor changes to the files access and modification times.
To monitor usage of the
Example Use Case¶
A backup program that wishes to keep the creation and modification dates of the backed up files up to date without altering the content of the original file.
utimes is not supported on all platforms, including Linux on PowerPC and Solaris.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.