From mboxrd@z Thu Jan  1 00:00:00 1970
From: John Dennis <jdennis@redhat.com>
Subject: Re: [PATCH] Fix acct quoting in audit_log_acct_message())
Date: Wed, 05 Mar 2008 09:11:02 -0500
Message-ID: <47CEA9F6.9020301@redhat.com>
References: <47CCC6F0.1090005@redhat.com>	<1204663403.3216.126.camel@localhost.localdomain>	<47CDBD3D.7030101@redhat.com>	<200803041638.03430.sgrubb@redhat.com>	<1204667720.3216.161.camel@localhost.localdomain>	<1204668183.3216.165.camel@localhost.localdomain>
	<47CDCE06.3070705@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <47CDCE06.3070705@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

John Dennis wrote:
> Eric Paris wrote:
>> it needs to stay an untrusted string, but its name, well yeah, that
>> doesn't tell us a whole lot, does it?
> 
> It's the untrusted string code which is the primary culprit. If we fixed 
> audit so that *all* strings written by audit are formatted by exactly 
> one string formatting routine and that routine is sane then 99.99% of 
> the problems would go away. That was the thrust of my original email and 
> what I was most concerned about. Perhaps unfortunately the email 
> included some optional suggestions which is what some folks latched onto 
> obscuring the real issue.

I'm including a link to the original mail for reference.

https://www.redhat.com/archives/linux-audit/2008-January/msg00082.html

The primary problem is the inconsistent use of quotes around string 
values with the result it's impossible to know if a string value should 
have hexadecimal decoding performed on it. Currently the only way to 
solve the problem is to have a table of every audit message and field 
and to have such a table for every kernel version.

Of secondary concern is the fact hexadecimal encoded strings are not 
human readable whereas more conventional string escapes preserve 
readbility (to varying degrees).
-- 
John Dennis <jdennis@redhat.com>