Re: [PATCH] audit: handle loginuid through proc

[Chris Wright <chrisw@osdl.org>]

* Albert Cahalan (albert@users.sourceforge.net) wrote:
> On Thu, 2005-02-24 at 22:49 -0800, Chris Wright wrote:
> > * Albert Cahalan (albert@users.sourceforge.net) wrote:
> 
> > > Assuming you'd like ps to print the LUID, how about
> > > putting it with all the others? There are "Uid:"
> > > lines in the /proc/*/status files.
> > 
> > It's also set (written) via /proc, so it should probably stay separate.
> 
> Gross. Please rip this out before it hits the streets.
> (it's an interface change that might need eternal support)

It's already supported via the new pam_loginuid module.  Also the
loginuid is not a part of the task proper, rather the audit context.
It's treated in a manner similar to security contexts which are handled
via /proc interfaces.  Having said that, I wouldn't be opposed to a
patch that promotes it to compatible syscall as you mentioned below
(thanks for the details) if it turns out to be useful.  Got a patch?

[details left for linux-audit folks]

> Consider that:
> 
> 1. Every other UID is handled by system calls:
>    getuid, setuid, geteuid, setreuid,
>    setresuid, getresuid, setfsuid
> 
> 2. HP's Tru64 has getluid() and setluid() system calls
>    that Linux should be compatible with. SecureWare has a
>    version too, which looks more-or-less compatible with
>    what HP is offering. (the descriptions do not conflict,
>    but one has more details) It looks like ssh, apache,
>    and sendmail (huh?) already knows to use these system
>    calls even. 
> 
> The <prot.h> header is used. Prototypes are the obvious.
> The setuid() call returns 0 on success.
> 
> Tru64 notes that the login UID is sometimes called the
> audit UID (AUID) because it is recorded with most audit
> events.
> 
> getluid() returns an error if the LUID (AUID) is unset.
> 
> SecureWare additionally notes that setuid() and setgid() will
> also fail when the luid is unset, to ensure that the LUID
> is set before any other identity changes. (probably Linux
> should just disable setting LUID after that point)
> 
> ------------
> 
> Just to be complete, here's what Sun did:
> 
> Sun has getauid() and setauid() syscalls which are
> somewhat similar. They take pointers to the ID, and they
> require privilege (PRIV_SYS_AUDIT and PRIV_PROC_AUDIT
> for setauid, or just PRIV_PROC_AUDIT for getauid)
> These calls have been superceded by getaudit_addr() and
> setaudit_addr(), which use structs containing:
> 
> au_id_t       ai_auid;     // audit user ID
> au_mask_t     ai_mask;     // preselection mask
> au_tid_addr_t ai_termid;   // terminal ID
> au_asid_t     ai_asid;     // audit session ID
> 
> (the terminal ID is variable length, containing a
> network address and a length value for it)