From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: getuid() vs. geteuid() in auditctl Date: Wed, 21 Mar 2012 16:12:00 -0400 Message-ID: <201203211612.01097.sgrubb@redhat.com> References: <201203201407.46778.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Peter Moody Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday, March 21, 2012 12:38:06 PM Peter Moody wrote: > On Tue, Mar 20, 2012 at 11:07 AM, Steve Grubb wrote: > > On Friday, March 16, 2012 05:50:56 PM Peter Moody wrote: > >> line 1162 in auditctl.c has this: > >> > >> #ifndef DEBUG > >> /* Make sure we are root */ > >> if (getuid() != 0) { > >> fprintf(stderr, "You must be root to run this program.\n"); > >> return 4; > >> } > >> #endif > >> > >> Is there any particular reason to use getuid() there as opposed to > >> geteuid()? > > > > I suppose it doesn't matter. I never envisioned having a helper > > application, so that why its the way it is. Since we are optionally > > linking in libcap-ng, I suppose we could even check the capability > > rather than the euid. > > Just the CAP_AUDIT_CONTROL capability? On the -m command, it instead needs CAP_AUDIT_WRITE. > > Also note that > > for certification purposes the file permissions are restricted. > > The permissions of the auditctl binary? Yes. We ship it 0750. -Steve