hexified path in cwd audit message if dir no longer exists
paul moore
paulmoore100 at hotmail.com
Sat May 5 00:47:19 UTC 2007
Redhat es4 x86 monoproc
Kernel 2.6.9-34.EL
Audit 1.0.12-1.EL4
Occasiaonally I get a CWD audit message that has a hexified path in it.
Like this
$1 = "audit(1178324383.479:1566):
cwd=2F70726F632F35373336202864656C6574656429\000
This is "/proc/5736"
The message is coming from a shell process whose current dir is /proc/5736
and 5736 exited The cwd path contains junk after the "6" character - so
audit unstrusted string has hexified it I have not tried with real dirs
Bug?
More information about the Linux-audit
mailing list