Bug in auditing of sys_symlink
Aaron Lewis
the.warl0ck.1989 at gmail.com
Thu Jan 2 02:20:51 UTC 2014
Hi Alex,
Thanks for the excellent explanation. I've also checked how file
system stores a symbolic link after reading your post.
Now I know why symlink doesn't work as I thought ;-P
On Wed, Jan 1, 2014 at 2:29 AM, Alexander Viro <aviro at redhat.com> wrote:
> On Tue, Dec 31, 2013 at 06:49:49PM +0800, Aaron Lewis wrote:
>> Hi Alex,
>>
>> Sorry, I didn't make it clear.
>>
>> I need to protect all files under a directory, e.g /secure/
>>
>> So if there's any newly created symlinks that points to files under
>> that directory, e.g /secure/some_file, I will need to know.
>> (/secure is not a symlink, but an existing directory)
>> However "-a exit,always -F arch=b64 -S symlink -F success=1 -F
>> dir=/secure" doesn't do the job.
>> If I do "ln -s /secure/some_file /tmp/aa", no auditing log is generated
>
> ... because a symlink had been created in /tmp.
>
>> So I suspect auditing on symlink isn't for the source file/directory,
>> but the target "string".
>
> The target string here is "/secure/some_file".
>
>> If I do "ln -s /bin/ls /secure/new_file", an auditing log is generated.
>
> ... since that creates a symlink in /secure, symlink's target being
> "/bin/ls".
>
>> That's what I mean by "bug".
>
> Check which directory is modified by your commands. Really. ls -l /secure
> will change after the second one, but will remain unchanged after the first
> one.
>
> You can get notified when /secure is changed by symlink addition; you can
> not get notifications whenever somewhere appears a symlink that would
> resolve to something under /secure - see the posting upthread for the
> reasons why that really can't be done.
>
> BTW, ln(1) manpage is atrocious. GNU variant suffers from the usual attitude
> of GNU project towards manpages (they hate the need to be concise and
> prefer info(1) to man(1)), but BSD variant isn't much better ;-/
> An honest variant would have to contain something like "ln(1) conflates
> two unrelated functionalities - creating extra links to existing files
> and creation of symlinks. The syntax is superficially similar in both
> cases, but they would've been better off as separate commands."
>
> The thing is, original ln(1) syntax imitates that of cp(1) - ln from to
> takes an existing file ("from") and makes "to" a new name for the same
> file. Unlike cp(1), the file itself isn't copied - both directory
> entries end up refering to the same object. Other forms also imitate cp(1) -
> just as you can say cp <bunch of files> directory, you can say
> ln <bunch of files> directory.
>
> ln -s is something entirely different. ln -s target name creates a new
> symlink with "target" as contents. Target does *not* refer to a file;
> it's just a string to be interpreted when pathname resolution steps into
> name.
>
> That creates a nasty source of confusion - in the normal case (ln old new)
> we are making the file "old" show up elsewhere ("new"), but in ln -s old new
> we are making a symlink "new" that points to string "old". Note that
> both cases invite the use of word 'target', but in completely different
> meanings and applied to different ln(1) arguments ;-/
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
More information about the Linux-audit
mailing list