From owner-freebsd-security  Mon Aug  6 10:46:46 2001
Delivered-To: freebsd-security@freebsd.org
Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28])
	by hub.freebsd.org (Postfix) with ESMTP id B5C0F37B405
	for <freebsd-security@FreeBSD.ORG>; Mon,  6 Aug 2001 10:46:43 -0700 (PDT)
	(envelope-from fullermd@futuresouth.com)
Received: (from fullermd@localhost)
	by shell.futuresouth.com (8.11.4/8.11.1) id f76HkW958519;
	Mon, 6 Aug 2001 12:46:32 -0500 (CDT)
Date: Mon, 6 Aug 2001 12:46:32 -0500
From: "Matthew D. Fuller" <fullermd@futuresouth.com>
To: Christian Weisgerber <naddy@mips.inka.de>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Tracing writes?
Message-ID: <20010806124632.G2134@futuresouth.com>
References: <9km9fr$1sb$1@kemoauc.mips.inka.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <9km9fr$1sb$1@kemoauc.mips.inka.de>; from naddy@mips.inka.de on Mon, Aug 06, 2001 at 02:27:08PM +0000
X-OS: FreeBSD <http://www.freebsd.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, Aug 06, 2001 at 02:27:08PM +0000, a little birdie told me
that Christian Weisgerber remarked
> You see that a file is written to.  How do you figure out where the
> write() is coming from?

There may not be a write().


> As I have described on -current, executables keep getting new mtimes
> on my box (FreeBSD-CURRENT/alpha).  Comparing MD5-Hashes of the
> files before and after, as well as copying the files to an entirely
> different system and comparing hashes there shows no changes.  I've
> set up a little program that uses a kqueue() filter to watch over
> /bin/*.  I expected to see utimes() updates (NOTE_ATTRIB), but it's
> telling me that the executables are actually _written_ to (NOTE_WRITE).

There was at some time in the past a bug in the VM system that would
cause mtimes to be updated because of (from memory) dirtied pages in the
in-core copy of an executable being flushed back.  I believe it was
supposed to have been fixed (this was back in 2.2 days, IIRC), but it
could be rearing its head again, or a similar bug doing so.


-- 
Matthew Fuller     (MF4839)     |    fullermd@over-yonder.net
Unix Systems Administrator      |    fullermd@futuresouth.com
Specializing in FreeBSD         |    http://www.over-yonder.net/

"The only reason I'm burning my candle at both ends, is because I
      haven't figured out how to light the middle yet"

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message