From mboxrd@z Thu Jan  1 00:00:00 1970
From: Robert Evans <bob.evans@jhuapl.edu>
Subject: Re: Why doesn't chown produce an event
Date: Wed, 02 May 2007 14:00:29 -0400
Message-ID: <4638D1BD.4040508@jhuapl.edu>
References: <4638AA93.7050108@jhuapl.edu>
	<200705021330.59459.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200705021330.59459.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Got it!  So when I want to figure out how to trace something, the recommended 
course of action is do a strace on the operation, and look for a good syscall to 
tag...

Bob

Steve Grubb wrote:
> On Wednesday 02 May 2007 11:13, Robert Evans wrote:
>> If I log in as a typical user and try "chown bob /etc/shadow" I don't get
>> an event produced, however if I try "chmod 666 /etc/shadow" I do.
>>
>> What am I missing here?
> 
> A syscall. If I am on a i386 machine and I strace chmod root file.txt, I see 
> this:
> 
> chown32("file.txt", 0, -1)        = 0
> 
> So, you would want to use chown32 instead of chown on i386 machines. On x86_64 
> the chown syscall is used.
> 
> -Steve
>