From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: open() syscall and success=0 question
Date: Tue, 13 May 2008 10:46:10 -0400
Message-ID: <200805131046.10852.sgrubb@redhat.com>
References: <20080513141353.GB4939@cisco.com>
	<200805131024.42025.sgrubb@redhat.com>
	<20080513143657.GC4939@cisco.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20080513143657.GC4939@cisco.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Keith Kaple <kak@cisco.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday 13 May 2008 10:36:58 Keith Kaple wrote:
> Can you ellaborate a little on EPERM vs. EACCES?
>
> Say a normal user tries to cp /etc/passwd and gets "permission denied" in
> the shell, will exit=-EPERM or -EACCESS?

According to man 2 open, both could be returned for a permission error. strace 
tells us this, though:

open("/etc/shadow", O_RDONLY)           = -1 EACCES (Permission denied)

So, for that scenario, you want to also have a rule of:

auditctl -a exit,always -S open -F exit=-EACCES


> I assume there will be an entry for both if perhaps success=0 alone is
> used..

Yes, and there will be one for any ENOENT and a host of other failed returns. 
You will need 2 rules to cover both permission denied return codes.

-Steve