useradd question
Steve Grubb
sgrubb at redhat.com
Mon May 20 20:12:14 UTC 2019
On Monday, May 20, 2019 4:05:55 PM EDT Lenny Bruzenak wrote:
> On 5/20/19 2:59 PM, Steve Grubb wrote:
> > So...I went digging through the source code of useradd.c. In main is this
> >
> > comment:
> > /*
> >
> > * Do the hard stuff:
> > * - open the files,
> > * - create the user entries,
> > * - create the home directory,
> > * - create user mail spool,
> > * - flush nscd caches for passwd and group services,
> > * - then close and update the files.
> > */
> >
> > If you dig around, you'll see in the above process it calls usr_update().
> > This is where the audit event is. The very next function call is
> > close_files. This is where it actually writes to the files where it
> > would be visible to auditd. So, it looks like auditing in shadow-utils
> > is busted.
> >
> > I also see where its calling pam_tally2 which is deprecated for years. It
> > should be calling faillock. I'll chat with upstream maintainers.
> >
> > -Steve
>
> Thank you Steve, much appreciated! If they are able to provide a patch,
> would you mind asking them to send me a link and I'll test it ASAP?
Sure. But I think this is an architectural issue and won't be a quick fix.
Also, I think this race is limited to useradd and groupadd. For everything
else, the mapping should be on disk and visible.
-Steve
More information about the Linux-audit
mailing list