On Mon, Nov 10, 2008 at 7:29 PM, ashish mahamuni <ashitpro@xxxxxxxxxxx> wrote:
> Thanks for your reply Manish..
> I could do this.
> But basically I don't want to compile the kernel..
If kernel compilation is not an option then probably all the replies
who suggested modification of syscall table are also not valid :-(
..... Next question is why do you want to do it , because I can think
of a very silly way of doing this in userspace.
a) Rename your /usr/bin/rm to /usr/bin/obscured (this is to avoid
someone accidently using it :-) )
b) Write a shellscript with a name rm with contents as
echo "User `id -u` tried to invoke $*"
/usr/bin/obscured $*
and then follow
http://unix.ittoolbox.com/groups/technical-functional/solaris-l/how-to-protect-a-shell-script-686157
or just recompile rm source code to do the logging.
Thanks -
Manish
> I need something, may be in kernel space or user space, which would do this thing. I am concerned about portability.
> I thought, I could do this using hooking. Thats why I asked about it.
>
> Regards,
> Ashish
>
>
> --- On Mon, 10/11/08, Manish Katiyar <mkatiyar@xxxxxxxxx> wrote:
>
>> From: Manish Katiyar <mkatiyar@xxxxxxxxx>
>> Subject: Re: System call hooking in 2.6 kernel..
>> To: "Anuz Pratap Singh Tomar" <chambilkethakur@xxxxxxxxx>
>> Cc: ashitpro@xxxxxxxxxxx, kernelnewbies@xxxxxxxxxxxx
>> Date: Monday, 10 November, 2008, 5:45 PM
>> On Mon, Nov 10, 2008 at 4:28 PM, Anuz Pratap Singh Tomar
>> <chambilkethakur@xxxxxxxxx> wrote:
>> > Why would a kernel module be required for that?
>> > I guess that can be done in user space as well.
>> >
>> > Regards
>> > Anuz
>> >
>> > On Mon, Nov 10, 2008 at 2:36 PM, ashish mahamuni
>> <ashitpro@xxxxxxxxxxx>
>> > wrote:
>> >>
>> >> Hello All,
>> >>
>> >> I am trying to write a module which will log the
>> user who deleted the
>> >> file...
>> >> So, I am thinking of hooking the unlink system
>> call...
>>
>> why do you need to hook a system call ?? Why isn't a
>> printk
>> sufficient. I added this in my fs/namei.c
>>
>> static long do_unlinkat(int dfd, const char __user
>> *pathname)
>> {
>> ................
>> if (error)
>> return error;
>>
>> error = -EISDIR;
>> if(current->uid)
>> printk("User [%d] pid [%d] tried to delete
>> \"%s\"\n", current->uid,
>> current->pid, name);
>> .........
>>
>> and it works for me as below
>>
>> [katiyar@localhost ~]$ echo hi > manish
>> [katiyar@localhost ~]$ rm manish
>> User [512] pid [2072] tried to delete "manish"
>> [katiyar@localhost ~]$ tail -1 /var/log/messages
>> Nov 10 07:15:31 localhost kernel: User [512] pid [2072]
>> tried to delete "manish"
>>
>> Is there something else that you want ??
>>
>> Thanks -
>> Manish
>>
>> >> Which is the best way to achieve this?
>> >> Is it possible in 2.6 kernel?
>> >>
>> >> Regards
>> >> Ashish
>> >>
>> >>
>> >> Add more friends to your messenger and enjoy!
>> Go to
>> >> http://messenger.yahoo.com/invite/
>> >>
>> >>
>> >> --
>> >> To unsubscribe from this list: send an email with
>> >> "unsubscribe kernelnewbies" to
>> ecartis@xxxxxxxxxxxx
>> >> Please read the FAQ at
>> http://kernelnewbies.org/FAQ
>> >>
>> >
>> >
>>
>> --
>> To unsubscribe from this list: send an email with
>> "unsubscribe kernelnewbies" to
>> ecartis@xxxxxxxxxxxx
>> Please read the FAQ at http://kernelnewbies.org/FAQ
>
>
> Get perfect Email ID for your Resume. Grab now http://in.promos.yahoo.com/address
>
>
--
To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx
Please read the FAQ at http://kernelnewbies.org/FAQ
