Subject: Re: recent change to kern_exec.c for #! interpreters
To: None <firstname.lastname@example.org>
From: Hubert Feyrer <email@example.com>
Date: 08/08/2005 05:19:46
On Sun, 7 Aug 2005, Erik E. Fair wrote:
>> Modified Files:
>> src/sys/kern: kern_exec.c
>> Log Message:
>> Use real executed program in logs instead of the script that was executed.
>> For example, this used to give false logs of matching fingerprint for
>> foo.sh while foo.sh don't have an entry, and the program executed (and
>> matching the fingerprint) is the interpreter - /bin/sh.
> So ... if I were running with acct(2) on, what will I see in the ac_comm
> field of the structure that is written to the accounting file? sh? or the
> name of the script?
> I submit that if it is the former, this is not a good change.
Also, what if you want to verify(exev) several different scripts?