[tech] [ucc] Minutes of Meeting 4th September 2009
Matt Johnston
matt at ucc.asn.au
Sun Sep 6 22:20:04 WST 2009
On Sun, Sep 06, 2009 at 10:03:15AM +0800, Adrian Chadd wrote:
> On Sat, Sep 05, 2009, Matt Johnston wrote:
>
> > > bind had died on mooneye - I restarted it and things seem better.
> >
> > Sorry, I've been stracing most processes [1] on mooneye for
> > a couple of days to try and figure which rogue process had
> > been chmodding /dev/null to 600. That's happened a few times
> > lately - really irritating, I suspect something's following
> > a symlink to /dev/null. Haven't caught it though, damn
> > heisenbugs - I've stopped it now.
>
> Just(!) write a kernel module that hooks into the chmod syscall and checks
> if the destination is a symlink. If it does then log a message. Similar
> for fchmod() if you can easily find out what currently open file an open
> FD points to.
LD_PRELOAD hacks would be easier. Why can't Linux have
dtrace already...
syscall::chmod:entry
{
ustack();
path = copyinstr(arg0);
printf("chmodded pid %d %s, %s", pid, execname, path);
}
Matt
More information about the tech
mailing list