Re: File watching
On Tue, 20 Jun 2006 15:08:53 EDT, Steve said:
Here is the whole record for root accessing the file
audit(1150830257.233:250): arch=40000003 syscall=5 success=yes exit=3
a0=9a62398 a1=8000
^^^^
I am not sure why it opens the file as read-only when root opens it...
Because when root passes O_RDONLY, the kernel doesn't second-guess and open
it read-right....
Attachments:
- attachment.sig (application/pgp-signature — 226 bytes)