From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: useradd question Date: Mon, 20 May 2019 16:12:14 -0400 Message-ID: <2529210.r6ccOtJCrL@x2> References: <2786293.P8e7BSF5A5@x2> <75873a5b-255c-9b31-1b0e-6a1552021ab1@magitekltd.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <75873a5b-255c-9b31-1b0e-6a1552021ab1@magitekltd.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Lenny Bruzenak Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday, May 20, 2019 4:05:55 PM EDT Lenny Bruzenak wrote: > On 5/20/19 2:59 PM, Steve Grubb wrote: > > So...I went digging through the source code of useradd.c. In main is this > > > > comment: > > /* > > > > * Do the hard stuff: > > * - open the files, > > * - create the user entries, > > * - create the home directory, > > * - create user mail spool, > > * - flush nscd caches for passwd and group services, > > * - then close and update the files. > > */ > > > > If you dig around, you'll see in the above process it calls usr_update(). > > This is where the audit event is. The very next function call is > > close_files. This is where it actually writes to the files where it > > would be visible to auditd. So, it looks like auditing in shadow-utils > > is busted. > > > > I also see where its calling pam_tally2 which is deprecated for years. It > > should be calling faillock. I'll chat with upstream maintainers. > > > > -Steve > > Thank you Steve, much appreciated! If they are able to provide a patch, > would you mind asking them to send me a link and I'll test it ASAP? Sure. But I think this is an architectural issue and won't be a quick fix. Also, I think this race is limited to useradd and groupadd. For everything else, the mapping should be on disk and visible. -Steve