Supplemental Groups
Steve Grubb
sgrubb at redhat.com
Tue Feb 22 16:41:08 UTC 2005
Hi,
I ran across something that I was wondering if we have a deficiency/bug. Do we
need to capture supplemental group information? For example:
[sgrubb at beast ~]$ su - root
Password:
[root at beast ~]# echo "test" > /opt/test.txt
[root at beast ~]# chmod 0660 /opt/test.txt
[root at beast ~]# chgrp wheel /opt/test.txt
[root at beast ~]# ls -l /opt/test.txt
-rw-rw---- 1 root wheel 5 Feb 22 11:30 /opt/test.txt
[root at beast ~]# auditctl -a exit,always -S open -F loginuid=501
AUDIT_LIST: exit always loginuid=501 (0x10e5) syscall=open
We created a file that's readable if you have wheel as a supplemental group.
Now from another terminal:
[sgrubb at beast ~]$ cat /opt/test.txt
test
[sgrubb at beast ~]$
OK...it worked. So let's go see what's in the logs:
type=KERNEL msg=audit(1109089864.512:6279351): item=0 name=/opt/test.txt
inode=136 dev=00:00
type=KERNEL msg=audit(1109089864.512:6279351): syscall=5 exit=3 a0=bff6aa07
a1=8000 a2=0 a3=8000 items=1 pid=26538 loginuid=501 uid=501 gid=501 euid=501
suid=501 fsuid=501 egid=501 sgid=501 fsgid=501
Somewhere in there I expected group #10 to be mentioned since that is what
gave me access capability to the file. Does anyone know why its not recorded?
Don't we need that information?
-Steve Grubb
More information about the Linux-audit
mailing list