From owner-freebsd-security Mon Aug 6 12:30:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.inka.de (quechua.inka.de [212.227.14.2]) by hub.freebsd.org (Postfix) with ESMTP id EA21C37B403 for ; Mon, 6 Aug 2001 12:30:38 -0700 (PDT) (envelope-from daemon@mips.inka.de) Received: from kemoauc.mips.inka.de (uucp@) by mail.inka.de with local-bsmtp id 15Tq5F-000419-00; Mon, 6 Aug 2001 21:30:37 +0200 Received: (from daemon@localhost) by kemoauc.mips.inka.de (8.11.5/8.11.1) id f76JBMA41234 for freebsd-security@freebsd.org; Mon, 6 Aug 2001 21:11:22 +0200 (CEST) (envelope-from daemon) From: naddy@mips.inka.de (Christian Weisgerber) Subject: Re: Tracing writes? Date: Mon, 6 Aug 2001 19:11:20 +0000 (UTC) Message-ID: <9kmq4o$185l$1@kemoauc.mips.inka.de> References: <9km9fr$1sb$1@kemoauc.mips.inka.de> <20010806124632.G2134@futuresouth.com> Originator: naddy@mips.inka.de (Christian Weisgerber) To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matthew D. Fuller wrote: > > You see that a file is written to. How do you figure out where the > > write() is coming from? > > There may not be a write(). True, but if there is, how to find it? > There was at some time in the past a bug in the VM system that would > cause mtimes to be updated because of (from memory) dirtied pages in the > in-core copy of an executable being flushed back. Yes, I suspect something like this. But for the purposes of -security: What ways are there to identify a rogue process writing to some file it isn't supposed to touch? -- Christian "naddy" Weisgerber naddy@mips.inka.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message