Executable permissions

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

* Executable permissions
@ 2006-12-13 16:00 Karl MacMillan
  2006-12-13 16:11 ` Steve Grubb
  0 siblings, 1 reply; 5+ messages in thread
From: Karl MacMillan @ 2006-12-13 16:00 UTC (permalink / raw)
  To: linux-audit

Is there a reason that the audit tools that take a file name paramater 
(-if) are not executable by non-root users? This prevents their use by 
an admin to do analysis of saved audit logs with an unprivileged user login.

Thanks - Karl

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Executable permissions
  2006-12-13 16:00 Executable permissions Karl MacMillan
@ 2006-12-13 16:11 ` Steve Grubb
  2006-12-13 16:19   ` Linda Knippers
  2006-12-13 16:20   ` Karl MacMillan
  0 siblings, 2 replies; 5+ messages in thread
From: Steve Grubb @ 2006-12-13 16:11 UTC (permalink / raw)
  To: linux-audit

On Wednesday 13 December 2006 11:00, Karl MacMillan wrote:
> Is there a reason that the audit tools that take a file name paramater
> (-if) are not executable by non-root users?

Current tools do not.

[root src]# grep getuid *.c
auditctl.c:             if (getuid() != 0) {
auditctl.c:             if (getuid() != 0) {

Must be root to send netlink

auditd.c:       if (getuid() != 0) {

Must be root to read netlink

autrace.c:      if (getuid() != 0) {

Must be root to write to netlink.

-Steve

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Executable permissions
  2006-12-13 16:11 ` Steve Grubb
@ 2006-12-13 16:19   ` Linda Knippers
  2006-12-13 16:20   ` Karl MacMillan
  1 sibling, 0 replies; 5+ messages in thread
From: Linda Knippers @ 2006-12-13 16:19 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit

Steve Grubb wrote:
> On Wednesday 13 December 2006 11:00, Karl MacMillan wrote:
> 
>>Is there a reason that the audit tools that take a file name paramater
>>(-if) are not executable by non-root users?
> 
> 
> Current tools do not.
> 
> [root src]# grep getuid *.c
> auditctl.c:             if (getuid() != 0) {
> auditctl.c:             if (getuid() != 0) {
> 
> Must be root to send netlink
> 
> auditd.c:       if (getuid() != 0) {
> 
> Must be root to read netlink
> 
> autrace.c:      if (getuid() != 0) {
> 
> Must be root to write to netlink.

I think Karl is talking about the mode bits.  The audit tools
are 750, owned by root,root, on my system, so not executable
by non-root users.

-- ljk

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Executable permissions
  2006-12-13 16:11 ` Steve Grubb
  2006-12-13 16:19   ` Linda Knippers
@ 2006-12-13 16:20   ` Karl MacMillan
  2006-12-13 17:14     ` Steve Grubb
  1 sibling, 1 reply; 5+ messages in thread
From: Karl MacMillan @ 2006-12-13 16:20 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit

Steve Grubb wrote:
> On Wednesday 13 December 2006 11:00, Karl MacMillan wrote:
>> Is there a reason that the audit tools that take a file name paramater
>> (-if) are not executable by non-root users?
> 
> Current tools do not.
> 

[root@localhost ~]# ls -l /sbin/au*
-rwxr-x--- 1 root root   3080 Dec  1 11:37 /sbin/audispd*
-rwxr-x--- 1 root root  88216 Dec  1 11:37 /sbin/auditctl*
-rwxr-x--- 1 root root  96068 Dec  1 11:37 /sbin/auditd*
-rwxr-x--- 1 root root 102864 Dec  1 11:37 /sbin/aureport*
-rwxr-x--- 1 root root 115420 Dec  1 11:37 /sbin/ausearch*
-rwxr-x--- 1 root root  68816 Dec  1 11:37 /sbin/autrace*

[root@localhost ~]# rpm -qa | grep audit
audit-libs-1.3-3.fc7
audit-1.3-3.fc7
audit-libs-python-1.3-3.fc7
audit-libs-devel-1.3-3.fc7

It's not the code, but rather the default permissions on the 
executables. So this might just be a packaging problem.

Thanks - Karl

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Executable permissions
  2006-12-13 16:20   ` Karl MacMillan
@ 2006-12-13 17:14     ` Steve Grubb
  0 siblings, 0 replies; 5+ messages in thread
From: Steve Grubb @ 2006-12-13 17:14 UTC (permalink / raw)
  To: Karl MacMillan; +Cc: linux-audit

On Wednesday 13 December 2006 11:20, Karl MacMillan wrote:
> So this might just be a packaging problem.

Yeah, I think I can open it for those two programs.

-Steve

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2006-12-13 17:14 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-12-13 16:00 Executable permissions Karl MacMillan
2006-12-13 16:11 ` Steve Grubb
2006-12-13 16:19   ` Linda Knippers
2006-12-13 16:20   ` Karl MacMillan
2006-12-13 17:14     ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox