1N/A#!/usr/sbin/dtrace -s
1N/A/*
1N/A * setuids.d - snoop setuid calls. This can examine user logins.
1N/A * Written in DTrace (Solaris 10 3/05).
1N/A *
1N/A * $Id: setuids.d 3 2007-08-01 10:50:08Z brendan $
1N/A *
1N/A * USAGE: setuids.d
1N/A *
1N/A * FIELDS:
1N/A * UID user ID (from)
1N/A * SUID set user ID (to)
1N/A * PPID parent process ID
1N/A * PID process ID
1N/A * PCMD parent command
1N/A * CMD command (full arguments)
1N/A *
1N/A * SEE ALSO: BSM auditing
1N/A *
1N/A * COPYRIGHT: Copyright (c) 2005 Brendan Gregg.
1N/A *
1N/A * CDDL HEADER START
1N/A *
1N/A * The contents of this file are subject to the terms of the
1N/A * Common Development and Distribution License, Version 1.0 only
1N/A * (the "License"). You may not use this file except in compliance
1N/A * with the License.
1N/A *
1N/A * You can obtain a copy of the license at Docs/cddl1.txt
1N/A * or http://www.opensolaris.org/os/licensing.
1N/A * See the License for the specific language governing permissions
1N/A * and limitations under the License.
1N/A *
1N/A * CDDL HEADER END
1N/A *
1N/A * 09-May-2004 Brendan Gregg Created this.
1N/A * 08-May-2005 " " Used modern variable builtins.
1N/A * 28-Jul-2005 " " Last update.
1N/A */
1N/A
1N/A#pragma D option quiet
1N/A
1N/A/*
1N/A * Print header
1N/A */
1N/Adtrace:::BEGIN
1N/A{
1N/A printf("%5s %5s %5s %5s %-12s %s\n",
1N/A "UID", "SUID", "PPID", "PID", "PCMD", "CMD");
1N/A}
1N/A
1N/A/*
1N/A * Save values
1N/A */
1N/Asyscall::setuid:entry
1N/A{
1N/A self->uid = uid;
1N/A self->suid = arg0;
1N/A self->ok = 1;
1N/A}
1N/A
1N/A/*
1N/A * Print output on success
1N/A */
1N/Asyscall::setuid:return
1N/A/arg0 == 0 && self->ok/
1N/A{
1N/A printf("%5d %5d %5d %5d %-12s %S\n",
1N/A self->uid, self->suid, ppid, pid,
1N/A curthread->t_procp->p_parent->p_user.u_comm,
1N/A curpsinfo->pr_psargs);
1N/A}
1N/A
1N/A/*
1N/A * Cleanup
1N/A */
1N/Asyscall::setuid:return
1N/A{
1N/A self->uid = 0;
1N/A self->suid = 0;
1N/A self->ok = 0;
1N/A}