|
|
|
|
|
|
by zokier
1064 days ago
|
|
|
yeah, this exec trace from the article is wrong, it is missing one sh -c from the chain $ ssh localhost figlet foobar bar\ baz
execve("/usr/bin/ssh", ["ssh", "localhost", "figlet", "foobar", "bar baz"], …
execve("/usr/bin/figlet", ["figlet", "foobar", "bar", "baz"], …
in practice it looks more like this (traced with execsnoop): PCOMM PID PPID RET ARGS
ssh 4255 2058 0 "/usr/bin/ssh" "localhost" "figlet" "foobar" "bar baz"
sshd 4256 2147 0 "/usr/bin/sshd" "-D" "-R"
bash 4259 4258 0 "/bin/bash" "-c" "figlet foobar bar baz"
figlet 4259 4258 0 "/usr/bin/figlet" "foobar" "bar" "baz"
|
|
|