Supplemental Groups
Chris Wright
chrisw at osdl.org
Tue Feb 22 17:50:19 UTC 2005
* Steve Grubb (sgrubb at redhat.com) wrote:
> type=KERNEL msg=audit(1109089864.512:6279351): item=0 name=/opt/test.txt
> inode=136 dev=00:00
> type=KERNEL msg=audit(1109089864.512:6279351): syscall=5 exit=3 a0=bff6aa07
> a1=8000 a2=0 a3=8000 items=1 pid=26538 loginuid=501 uid=501 gid=501 euid=501
> suid=501 fsuid=501 egid=501 sgid=501 fsgid=501
>
> Somewhere in there I expected group #10 to be mentioned since that is what
> gave me access capability to the file. Does anyone know why its not recorded?
It's a simple dump of basic credentials. Not only are supplemental
groups not dumped (nor capabilities), but also there is nothing that's
telling you what mode (or capability) granted you the access (ignoring
SELinux audit records).
> Don't we need that information?
I don't know, I don't think it's explicitly required by CAPP (unless
you interpret subject identity to include suplemental group IDs).
As far as groups go, they can become large (no longer a fixed size array).
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list