Re: shadow: what uid to log?

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: "Christian Göttsche" <cgzones@googlemail.com>
Subject: Re: shadow: what uid to log?
Date: Wed, 23 Oct 2019 12:20:13 -0400	[thread overview]
Message-ID: <3027837.ooMb3ITpCv@x2> (raw)
In-Reply-To: <CAJ2a_Dcm0ehsAPUb27DdamBbho7=RMhHxeFrM=yKz+vcAN-dpA@mail.gmail.com>

On Thursday, October 17, 2019 5:05:56 PM EDT Christian Göttsche wrote:
> I am working on migrating src:shadow to today's SELinux api and
> enabling audit logging for denials.

>From within the application? It seems that policy could be/is written to 
block execution and prevent any changes. That is, unless you are allowing fine 
grained controls like you can update the password but not the user name or 
anything else in the database.

> The question which uid to log with 'audit_log_user_avc_message' came up.

This is normally thought of in a client/server situation such as dbus (system 
not session). Dbus runs as root and has no associated login uid so in this 
case you would want to know who dbus was making a decision for. It would know 
who the peer is.

In the case where the application is invoked by the user, just use the uid to 
whatever the account is that is being operated on. In the case where no 
account exists because it is being created, then use -1.

> What is preferred for the applications like passwd, chfn, ... , which
> might be setuid binaries (getuid, geteuid, 0)?

Hope this helps...

-Steve

     prev parent reply	other threads:[~2019-10-23 16:20 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-17 21:05 shadow: what uid to log? Christian Göttsche
2019-10-23 16:20 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3027837.ooMb3ITpCv@x2 \
    --to=sgrubb@redhat.com \
    --cc=cgzones@googlemail.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox