[Patch]Fix the bug of comparing the file's mode in dispatch_parser() and check_exe_name()
chuli
chul at cn.fujitsu.com
Sun Jul 27 07:09:30 UTC 2008
Hi Mr. Grubby,
When I set "dispatcher = /mydir/audispd" in /etc/audit/auditd.conf and make
the mode of /mydir/audispd to 0755, auditd can be started successfully. But I
found in the codes that such file like "/mydir/audispd" is hoped as 0750.
There
is a little error in comparing the file's mode, "S_IRWXO" should be used not
just
"S_IWOTH", otherwise the file is allowed to be readable or executable by
others.
There is the same bug in check_exe_name(). This bug will allow the script of
"exec /path-to-script" to be readable or executable by others.
Here is my patch for audit-1.7.4. Hope for your opinion about such
modification.
Signed-off-by: Chu Li<chul at cn.fujitsu.com>
---
diff --git a/src/auditd-config.c b/src/auditd-config.c
index a7a939e..fc2fd48 100644
--- a/src/auditd-config.c
+++ b/src/auditd-config.c
@@ -629,7 +629,7 @@ static int dispatch_parser(struct nv_pair *nv, int line,
audit_msg(LOG_ERR, "%s is not owned by root", nv->value);
return 1;
}
- if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IWOTH)) !=
+ if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) !=
(S_IRWXU|S_IRGRP|S_IXGRP)) {
audit_msg(LOG_ERR, "%s permissions should be 0750", nv->value);
return 1;
@@ -869,7 +869,7 @@ static int check_exe_name(const char *val)
audit_msg(LOG_ERR, "%s is not owned by root", val);
return -1;
}
- if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IWOTH)) !=
+ if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) !=
(S_IRWXU|S_IRGRP|S_IXGRP)) {
audit_msg(LOG_ERR, "%s permissions should be 0750", val);
return -1;
Regards
Chu Li
More information about the Linux-audit
mailing list