From mboxrd@z Thu Jan  1 00:00:00 1970
From: Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: proc_loginuid_write() checks wrong capability?
Date: Tue, 6 Feb 2007 11:15:22 -0800 (PST)
Message-ID: <20070206191522.23902.qmail@web36615.mail.mud.yahoo.com>
References: <20070206182715.GA25164@suse.de>
Reply-To: casey@schaufler-ca.com
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25])
	by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l16KFUw9011328
	for <linux-audit@redhat.com>; Tue, 6 Feb 2007 15:15:30 -0500
Received: from web36615.mail.mud.yahoo.com (web36615.mail.mud.yahoo.com
	[209.191.85.32])
	by mx2.redhat.com (8.13.1/8.13.1) with SMTP id l16KFR6A028995
	for <linux-audit@redhat.com>; Tue, 6 Feb 2007 15:15:28 -0500
In-Reply-To: <20070206182715.GA25164@suse.de>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Beattie <sbeattie@suse.de>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--- Steve Beattie <sbeattie@suse.de> wrote:

> Hi,
>=20
> Looking at the code for proc_loginuid_write() in
> Linus' git tree, the
> capability CAP_AUDIT_CONTROL is needed to write to
> /proc/pid/loginuid
> and generate LOGIN type records. This seems to run
> counter to the
> capabilities(7) manpage, which suggests that
> CAP_AUDIT_CONTROL is to
> "Enable and disable kernel auditing; change auditing
> filter rules;
> retrieve auditing status and filtering rules",
> whereas CAP_AUDIT_WRITE
> is to "Allow records to be written to kernel
> auditing log."
>=20
> Should the following patch be applied, or am I
> misunderstanding something?

The latter. CAP_AUDIT_WRITE allows you to
create audit records, and that's it. It does
not allow you to change how they're managed,
which is an important aspect of the loginuid
of a process. Updating the loginuid changes
information that will go into audit records,
and that is strongly related to "filtering
rules".=20

> It doesn't seem quite right that anything
> that makes use of
> pam_loginuid.so should need to be granted the
> capability that allows
> enabling and disabling kernel auditing or changing
> filter rules.

Although the current audit system doesn't
do so (at least, I don't think it does, I
could be wrong) specifiying audit charactoristics
on a per-session basis would require that
capability.


Casey Schaufler
casey@schaufler-ca.com