[tech] [ucc] Minutes of Meeting 4th September 2009
Adrian Chadd
adrian at ucc.gu.uwa.edu.au
Sun Sep 6 10:03:15 WST 2009
On Sat, Sep 05, 2009, Matt Johnston wrote:
> > bind had died on mooneye - I restarted it and things seem better.
>
> Sorry, I've been stracing most processes [1] on mooneye for
> a couple of days to try and figure which rogue process had
> been chmodding /dev/null to 600. That's happened a few times
> lately - really irritating, I suspect something's following
> a symlink to /dev/null. Haven't caught it though, damn
> heisenbugs - I've stopped it now.
Just(!) write a kernel module that hooks into the chmod syscall and checks
if the destination is a symlink. If it does then log a message. Similar
for fchmod() if you can easily find out what currently open file an open
FD points to.
Adrian
More information about the tech
mailing list