From mboxrd@z Thu Jan 1 00:00:00 1970 From: Valdis.Kletnieks@vt.edu Subject: Re: Format of EXECVE Date: Mon, 17 Sep 2007 16:54:13 -0400 Message-ID: <17971.1190062453@turing-police.cc.vt.edu> References: <1190047816.14088.17.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1600861674==" Return-path: In-Reply-To: Your message of "Mon, 17 Sep 2007 17:50:16 BST." <1190047816.14088.17.camel@localhost.localdomain> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Matthew Booth Cc: linux-audit List-Id: linux-audit@redhat.com --===============1600861674== Content-Type: multipart/signed; boundary="==_Exmh_1190062453_3402P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit --==_Exmh_1190062453_3402P Content-Type: text/plain; charset=us-ascii On Mon, 17 Sep 2007 17:50:16 BST, Matthew Booth said: > I'm considering expanding argv[0] of EXECVE to be an absolute path. I take it you mean "*an* absolute path that was valid when we cut the EXECVE record", and document that it may not be *the* actual path used? In a quarter century, I've just seen *too* many race conditions, tricks with ../symlink/foo links, and the like (including some interesting malware that would dynamically create a symlink and execve through it, just to frustrate attempts at figuring out which binary was being exploited). --==_Exmh_1190062453_3402P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001 iD8DBQFG7ul0cC3lWbTT17ARAkm9AKDuB+mjMfGV/ybfsg7TAPHNsttZNQCfYqpe 5PVzTrNYt8NE2ePxnAfVYPw= =sAqI -----END PGP SIGNATURE----- --==_Exmh_1190062453_3402P-- --===============1600861674== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1600861674==--