setuids.d - snoop setuid calls as they occur. Uses DTrace. setuids.d setuids.d is a simple DTrace program to print details of setuid calls, where a process assumes a different UID. These are usually related to login events. Since this uses DTrace, only the root user or users with the dtrace_kernel privilege can run this command. Solaris stable - needs the syscall provider.

Default output, print setuids as they occur, # setuids.d

UID user ID (from)

SUID set user ID (to)

PPID parent process ID

PID process ID

PCMD parent command

CMD command (with arguments)

See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with verbose descriptions explaining the output. setuids.d will run forever until Ctrl-C is hit. Brendan Gregg [Sydney, Australia] dtrace(1M), bsmconv(1M)