[PATCH] Auditd shutdown credentials

Steve Grubb sgrubb at redhat.com
Wed Apr 27 20:36:28 UTC 2005 

On Wednesday 27 April 2005 16:09, Chris Wright wrote:
> Thanks, that does fix pure spoofing.  It's still just a best guess since
> it could be pid from one thread and uid from another (simple spinlock
> would at least guarantee consistency).

We don't have a requirement to protect against malicious acts. Policy can be 
written that locks down who can send a signal to auditd. The initscripts do 
not use threads. Besides, if you are root, you can change your own loginuid 
to anything you want. Why bother with threads?

> If it were queued, you'd be able to replay the history (at a cost).

This would be using a scud missile to kill a mosquito. The signals are not 
queued, so what would I do with the extra ones? When would I even read them? 
On start up? Its not needed.

> I might have gotten mixed up since this audit.h is different from mine,
> but it looks like this symbol is declared for CONFIG_AUDIT, whereas
> definition is under CONFIG_AUDITSYSCALL

You're right...this could be a problem depending on your file. I'm using the 
latest 2.6.9 kernel from David's yum repo like was requested. The function 
prototype is under CONFIG_AUDIT and the macro is in the else clause. The 
function definition is has no ifdefs around it and its in auditsc.c. Is 
something wrong?

> > @@ -429,6 +435,12 @@
> >                                         NETLINK_CB(skb).pid,
> >                                         uid, seq, data);
> >               break;
> > +     case AUDIT_TERM_INFO:
> > +             term_data.uid = audit_kill_uid;
> > +             term_data.pid = audit_kill_pid;
> > +             audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_TERM_INFO,
> > +                             0, 0, &term_data, sizeof(term_data));
>
> Hmmm, there's still room trouble here.  The queue could be full, or you'd
> still need to drain all messages.

What queue? audit_send_reply does a netlink unicast.

> So you can guarantee that if you read 
> until queue is empty you either got this message, or it was dropped (not
> the best guarantee).  

The corresponding user space code reads the netlink socket until it gets the 
AUDIT_TERM_INFO packet.

> Would some trivially simple sysfs file help you? 

That depends on whether something is wrong above.

> > @@ -572,6 +584,8 @@
> >               audit_panic("cannot initialize netlink socket");
> >  
> >       audit_initialized = 1;
> > +     audit_kill_uid = -1;
> > +     audit_kill_pid = -1;
>
> These can go at declaration

OK.

> > +     if (unlikely(audit_pid && t->pid == audit_pid)) {
> > +             if (sig == SIGTERM || sig == SIGKILL) {
>
> It's impossible to use on SIGKILL, since auditd can't catch that signal.

I thought about that after I sent the patch...already changed that. :)

> Any reason this should be unavailable when syscall auditing is off?

No. 

> Perhaps it should be in audit core, and then make the pid/uid bits
> static again.

Can't without getting the full definition of audit_context - which is local to 
auditsc.c. Is it time to move that into the header? I suspect it was local to 
auditsc to keep people from manipulating it all over the place.

Thanks for looking this over.

-Steve

More information about the Linux-audit mailing list