From mboxrd@z Thu Jan  1 00:00:00 1970
From: "paul moore" <paulmoore100@hotmail.com>
Subject: hexified path in cwd audit message if dir no longer exists
Date: Fri, 4 May 2007 17:47:19 -0700
Message-ID: <BAY119-DAV69FC264A0127D23C9C9448C470@phx.gbl>
Mime-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l450lUtM000800
	for <linux-audit@redhat.com>; Fri, 4 May 2007 20:47:30 -0400
Received: from bay0-omc3-s1.bay0.hotmail.com (bay0-omc3-s1.bay0.hotmail.com
	[65.54.246.201])
	by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l450lSHs027081
	for <linux-audit@redhat.com>; Fri, 4 May 2007 20:47:28 -0400
Message-ID: <000301c78eae$ef9128f0$656fa8c0@centrify.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com



Redhat es4 x86 monoproc
Kernel 2.6.9-34.EL
Audit 1.0.12-1.EL4

Occasiaonally I get a CWD audit message that has a hexified path in it.
Like this

$1 = "audit(1178324383.479:1566):
cwd=2F70726F632F35373336202864656C6574656429\000
This is "/proc/5736"

The message is coming from a shell process whose current dir is /proc/5736
and 5736 exited The cwd path contains junk after the "6" character - so
audit unstrusted string has hexified it I have not tried with real dirs


 Bug?