proc_loginuid_write() checks wrong capability?

Stephen Smalley sds at tycho.nsa.gov
Tue Feb 6 19:08:38 UTC 2007 

On Tue, 2007-02-06 at 10:27 -0800, Steve Beattie wrote:
> Hi,
> 
> Looking at the code for proc_loginuid_write() in Linus' git tree, the
> capability CAP_AUDIT_CONTROL is needed to write to /proc/pid/loginuid
> and generate LOGIN type records. This seems to run counter to the
> capabilities(7) manpage, which suggests that CAP_AUDIT_CONTROL is to
> "Enable and disable kernel auditing; change auditing filter rules;
> retrieve auditing status and filtering rules", whereas CAP_AUDIT_WRITE
> is to "Allow records to be written to kernel auditing log."

Setting the loginuid of a process is a form of "control" over the audit
system, as the loginuid is the basis for user accountability in the
audit framework.    It differs from merely generating a user audit
message.  There was some discussion of introducing a third audit
capability, but no support for it.

Note btw that it is possible to separately control the netlink audit
interface as SELinux does in order to impose additional requirements on
those operations (nlmsg_read, _write, _readpriv, and _relay in SELinux).

> Should the following patch be applied, or am I misunderstanding
> something? It doesn't seem quite right that anything that makes use of
> pam_loginuid.so should need to be granted the capability that allows
> enabling and disabling kernel auditing or changing filter rules.
> 
> Signed-off-by: Steve Beattie <sbeattie at suse.de>
> ---
>  fs/proc/base.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> Index: kernel-linus/fs/proc/base.c
> ===================================================================
> --- kernel-linus.orig/fs/proc/base.c
> +++ kernel-linus/fs/proc/base.c
> @@ -741,7 +741,7 @@ static ssize_t proc_loginuid_write(struc
>  	ssize_t length;
>  	uid_t loginuid;
>  
> -	if (!capable(CAP_AUDIT_CONTROL))
> +	if (!capable(CAP_AUDIT_WRITE))
>  		return -EPERM;
>  
>  	if (current != pid_task(proc_pid(inode), PIDTYPE_PID))
> 
> Thanks.
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-- 
Stephen Smalley
National Security Agency

More information about the Linux-audit mailing list