From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: useradd question
Date: Wed, 22 May 2019 13:34:34 -0400
Message-ID: <1895815.SLc6sCx9v7@x2>
References: <d3d7fc57-c368-9d01-aae5-cb5469cd2334@magitekltd.com>
	<2786293.P8e7BSF5A5@x2>
	<75873a5b-255c-9b31-1b0e-6a1552021ab1@magitekltd.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <75873a5b-255c-9b31-1b0e-6a1552021ab1@magitekltd.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Lenny Bruzenak <lenny@magitekltd.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday, May 20, 2019 4:05:55 PM EDT Lenny Bruzenak wrote:
> On 5/20/19 2:59 PM, Steve Grubb wrote:
> > So...I went digging through the source code of useradd.c. In main is this
> > 
> > comment:
> >         /*
> >         
> >          * Do the hard stuff:
> >          * - open the files,
> >          * - create the user entries,
> >          * - create the home directory,
> >          * - create user mail spool,
> >          * - flush nscd caches for passwd and group services,
> >          * - then close and update the files.
> >          */
> > 
> > If you dig around, you'll see in the above process it calls usr_update().
> > This is where the audit event is. The very next function call is
> > close_files. This is where it actually writes to the files where it
> > would be visible to auditd. So, it looks like auditing in shadow-utils
> > is busted.
> > 
> > I also see where its calling pam_tally2 which is deprecated for years. It
> > should be calling faillock. I'll chat with upstream maintainers.
> 
> Thank you Steve, much appreciated! If they are able to provide a patch,
> would you mind asking them to send me a link and I'll test it ASAP?

I think this is the right fix:

diff -urp shadow-4.6.orig/src/useradd.c shadow-4.6/src/useradd.c
--- shadow-4.6.orig/src/useradd.c       2019-05-21 08:26:12.533328554 -0400
+++ shadow-4.6/src/useradd.c    2019-05-22 12:21:46.305293997 -0400
@@ -1955,9 +1955,14 @@ static void usr_update (void)
 #endif                         /* ENABLE_SUBIDS */

 #ifdef WITH_AUDIT
+       /*
+        * Even though we have the ID of the user, we won't send it now
+        * because its not written to disk yet. After close_files it is
+        * and we can use the real ID thereafter.
+        */
        audit_logger (AUDIT_ADD_USER, Prog,
                      "add-user",
-                     user_name, (unsigned int) user_id,
+                     user_name, AUDIT_NO_ID,
                      SHADOW_AUDIT_SUCCESS);
 #endif
        /*