Format of EXECVE
Matthew Booth
mbooth at redhat.com
Mon Sep 17 21:31:17 UTC 2007
On Mon, 2007-09-17 at 16:54 -0400, Valdis.Kletnieks at vt.edu wrote:
> On Mon, 17 Sep 2007 17:50:16 BST, Matthew Booth said:
>
> > I'm considering expanding argv[0] of EXECVE to be an absolute path.
>
> I take it you mean "*an* absolute path that was valid when we cut the EXECVE
> record", and document that it may not be *the* actual path used? In a quarter
> century, I've just seen *too* many race conditions, tricks with ../symlink/foo
> links, and the like (including some interesting malware that would dynamically
> create a symlink and execve through it, just to frustrate attempts at figuring
> out which binary was being exploited).
This would be an issue in a single-pronged approach.
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070917/15274f33/attachment.sig>
More information about the Linux-audit
mailing list