auid
Russell Coker
russell at coker.com.au
Thu Feb 9 21:06:27 UTC 2006
On Friday 10 February 2006 05:13, Steve G <linux_4ever at yahoo.com> wrote:
> >so in the absence of SELinux (e.g. CAPP-only configuration), any uid 0
> > process can mutate its loginuid later to mask the original one,
>
> Or it can delete the audit logs or re-write syslog or install a rootkit
> covering everything up. The only defence against this kind of tampering is
> remote logging.
>
> >and in the presence of SELinux, any program authorized for audit_control
> > can mutate its loginuid later (so a smaller exposure, but still a
> > possibility).
>
> So...why doesn't policy restrict this even further so that the 10 apps that
> need to set this are the *only* ones that can do so?
>
> The list is: login, sshd, vsftpd, postfix, procmail, cron, at, gdm, kdm, &
> xdm.
Also every other mail server including Sendmail.
The Postfix code supports multiple deliveries initiated from the one local
process and I wrote code to reset the auid for this. This is one thing that
I think is a bad idea, in fact I'll suggest to Wietse that Postfix be changed
to only have one delivery per instance of the local process, fork() is cheap
by any measure and particularly when compared to all the synchronous disk IO
that occurs when a mail server is doing delivery.
Does procmail really need this?
As for Sendmail, one program which does EVERYTHING including the ability to
reset auid.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-devel-list
mailing list