Date: Mon, 6 Aug 2001 12:46:32 -0500 From: "Matthew D. Fuller" <fullermd@futuresouth.com> To: Christian Weisgerber <naddy@mips.inka.de> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Tracing writes? Message-ID: <20010806124632.G2134@futuresouth.com> In-Reply-To: <9km9fr$1sb$1@kemoauc.mips.inka.de>; from naddy@mips.inka.de on Mon, Aug 06, 2001 at 02:27:08PM %2B0000 References: <9km9fr$1sb$1@kemoauc.mips.inka.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 06, 2001 at 02:27:08PM +0000, a little birdie told me that Christian Weisgerber remarked > You see that a file is written to. How do you figure out where the > write() is coming from? There may not be a write(). > As I have described on -current, executables keep getting new mtimes > on my box (FreeBSD-CURRENT/alpha). Comparing MD5-Hashes of the > files before and after, as well as copying the files to an entirely > different system and comparing hashes there shows no changes. I've > set up a little program that uses a kqueue() filter to watch over > /bin/*. I expected to see utimes() updates (NOTE_ATTRIB), but it's > telling me that the executables are actually _written_ to (NOTE_WRITE). There was at some time in the past a bug in the VM system that would cause mtimes to be updated because of (from memory) dirtied pages in the in-core copy of an executable being flushed back. I believe it was supposed to have been fixed (this was back in 2.2 days, IIRC), but it could be rearing its head again, or a similar bug doing so. -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Unix Systems Administrator | fullermd@futuresouth.com Specializing in FreeBSD | http://www.over-yonder.net/ "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010806124632.G2134>