dtrace discuss - Aug 2009 - filename of file being chowned

Dear dtrace gurus,

I am new to dtrace and am trying to use it to investigate unexpected
changes in file ownership.
How do I find out the name of the file being chowned?

So far I have:
/* chown.d */
BEGIN
{
    trace("beginning!");
}

syscall::chown:entry,
syscall::fchown:entry,
syscall::lchown:entry
/ execname != "gconfd-2" /
{
    printf("execname=%s, pid=%d\n", execname, pid);
    printf( "\t\tpath=%d, owner=%d, group=%d\n",
        arg0, arg1, arg2 );
    stack();
}

END
{
    trace ("ending!");
}
/* end chown.d */
(sample output below)

I expect the first argument (arg0) to chown to be the name of the file.
However, I get an integer instead.
I assume this is a char pointer, or an inode, or some other data structure.

I am using solaris 10 update 7.

thanks,
Josh Kline

sample output:
-bash-3.00# dtrace -s chown.d
dtrace: script ''chown.d'' matched 5 probes
CPU     ID                    FUNCTION:NAME
  0      1                           :BEGIN   beginning!

  0    321                      chown:entry execname=perl, pid=1306
                path=134669904, owner=25, group=10

              unix`sys_sysenter+0x101

  0    321                      chown:entry execname=perl, pid=1307
                path=134669904, owner=25, group=10

              unix`sys_sysenter+0x101

  0    321                      chown:entry execname=chown, pid=1308
                path=134512328, owner=25, group=10

              unix`sys_sysenter+0x101

  0    321                      chown:entry execname=chown, pid=1309
                path=134512328, owner=25, group=10

              unix`sys_sysenter+0x101

>     printf( "\t\tpath=%d, owner=%d, group=%d\n",
>         arg0, arg1, arg2 );
> I expect the first argument (arg0) to chown to be the name of the file.
> However, I get an integer instead.
You''re printing it with %d; that''s not going to show you
anything like a string.

Try %s, and try copyinstr(arg0) as the argument.

On Thu, Aug 20, 2009 at 9:25 PM, Josh Kline<jkline at mediatemple.net>
wrote:
> Dear dtrace gurus,
>
> I am new to dtrace and am trying to use it to investigate unexpected
> changes in file ownership.
> How do I find out the name of the file being chowned?
You need to use copyinstr().  A trivial example is:

$ dtrace -n ''syscall::chown:entry { trace(copyinstr(arg0)) }''
dtrace: description ''syscall::chown:entry '' matched 1 probe
CPU     ID                    FUNCTION:NAME
  4   7879                      chown:entry   /dev/pts/17
  4   7879                      chown:entry   /dev/pts/17
  4   7879                      chown:entry   /dev/pts/17
>
> So far I have:
> /* chown.d */
> BEGIN
> {
> ? ?trace("beginning!");
> }
>
> syscall::chown:entry,
> syscall::fchown:entry,
> syscall::lchown:entry
> / execname != "gconfd-2" /
> {
> ? ?printf("execname=%s, pid=%d\n", execname, pid);
> ? ?printf( "\t\tpath=%d, owner=%d, group=%d\n",
> ? ? ? ?arg0, arg1, arg2 );
copyinstr(arg0), ...
> ? ?stack();
> }
>
> END
> {
> ? ?trace ("ending!");
> }
> /* end chown.d */
> (sample output below)
>
> I expect the first argument (arg0) to chown to be the name of the file.
> However, I get an integer instead.
> I assume this is a char pointer, or an inode, or some other data structure.
>
> I am using solaris 10 update 7.
You will need special handling for fchown because arg0 is going to be
a file descriptor.  You will need to use fds[arg0].fi_pathname to get
at the path.  In this case, you don''t need to use copyinstr() because
that memory is already in the kernel - no copyin() is required to get
it there.

-- 
Mike Gerdts
http://mgerdts.blogspot.com/