Now the whole 'cat < /etc/passwd' bit I found intriguing because sure
enough if you strace the 'cat < /etc/passwd' you don't see any
sys_open's (makes sense).
however if you strace the pid of the bash shell you do.
[pid 8807] open("/etc/passwd", O_RDONLY|O_LARGEFILE) = 3
[pid 8807] dup2(3, 0) = 0
[pid 8807] close(3) = 0
[pid 8807] execve("/bin/cat", ["cat"], [/* 34 vars */]) = 0
now if you were to be watching what is executing, you flag any opening
of the /etc/passwd file and then after the duplication of the file
descriptor you know something is happening.. could you not get around
the "no logging" issue...
as later we see the fd, (0) being used for :
read(0, "root:x:0:0:root:/root"..., 4096)
may not want to block the calls that are going on, however may want to
log them on systems that you had a concern on...login however does not
create the same pattern...
just my two pennies, and some thinking to do for myself now too!
--
Mark <[EMAIL PROTECTED]>
