From: "paul moore" <paulmoore100@hotmail.com>
To: linux-audit@redhat.com
Subject: (no subject)
Date: Fri, 20 Apr 2007 15:13:17 -0700 [thread overview]
Message-ID: <BAY119-DAV143C129951113E597D3A2C8C560@phx.gbl> (raw)
Message-ID: <000301c78399$1924de30$656fa8c0@centrify.com> (raw)
My understanding is that the auid/loginid process property is to allow the
audit system to *really* know who did things In particular it seems to be
for tracking who did things when they run su or sudo
But it seems to be trivial to spoof it
login as: paul
paul@192.168.111.40's password:
Last login: Fri Apr 13 13:34:26 2007 from 192.168.111.101
[paul@rhes5-wa-1 ~]$ sudo bash
[root@rhes5-wa-1 ~]# cat /proc/self/loginuid
556[root@rhes5-wa-1 ~]# echo 600 > /proc/self/loginuid
[root@rhes5-wa-1 ~]# cat /proc/self/loginuid
600[root@rhes5-wa-1 ~]# exit
[paul@rhes5-wa-1 ~]$ cat /proc/self/loginuid
556[paul@rhes5-wa-1 ~]$
I was 556 at login, after sudo i am still 556 but then as root I can now
change it to 600 and the audit log for my actions has auid=600 in it
doesnt that undermine the whole point of the login id?
Surely once it has been set it should not be possible to change it again.
I see a debate in the thread "proc_loginuid_write() checks wrong capability"
about who should be able to do this but it misses the point. It should only
be writtable if its -1 at the moment.
Otherwise it must be unconditionally rejected.
The argument for it being like it is is that root is all powerfull so they
should be allowed to do anything. But the beauty of auid is that it lets me
see who the root sudoer really is.
(BTW - my 10$ says its should be a new capability since it doesn't match
either CONTROL or WRITE, But if that's not possible then it should be
CONTROL)
Any insights gratefully received
Paul Moore
next reply other threads:[~2007-04-20 22:46 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <000301c78399$1924de30$656fa8c0@centrify.com>
2007-04-20 22:13 ` paul moore [this message]
2007-04-20 23:32 ` (no subject) Steve Grubb
[not found] ` <000701c783ab$6be710e0$656fa8c0@centrify.com>
2007-04-21 0:24 ` paul moore
2007-04-23 13:46 ` Steve Grubb
2008-01-12 13:45 Abhishek Gupta
2008-01-12 14:55 ` Steve Grubb
-- strict thread matches above, loose matches on Subject: below --
2007-11-02 16:21 Bill Tangren
2007-08-18 17:02 Henning, Arthur C. (CSL)
2007-05-24 14:03 Kirkwood, David A.
2007-03-15 19:42 Kirkwood, David A.
2007-03-15 21:15 ` Bill Tangren
2006-05-03 17:21 Kirkwood, David A
2006-05-03 17:31 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BAY119-DAV143C129951113E597D3A2C8C560@phx.gbl \
--to=paulmoore100@hotmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox