Re: Setting loginuid for a process starting at boot
On Monday, January 13, 2014 10:17:43 PM Maupertuis Philippe wrote:
The process listens on a network port. It receives custom commands
that are
executed on the server. Only one remote host can communicate with the host,
the user identifies himself on the remote host only. The goal is to allow
the user to run the same scripts on a lot of server in one command.
OK, then it sounds like you have an entry point daemon and it should be
setting the loginuid.
Please don't tell me it's silly or insecure or that softwares
exist to do
that in a secure way. I would like to be able to at least monitor what
happend throughthis channel. That means the listening process and all its
childs where the valuable changes to the system are made. It's why I was
thinking of setting a dedicated loginuid.
Maybe, eventually it would turn in a PAM-aware application with a proper
user authentication and my problems will be solved.
If a simple echo does the trick what is the use of audit_setloginuid or
pam_loginuid ?
They hide the implementation details in case it changes someday.
Any root script can defeat audit with a single command.
There are restrictions (fs/proc/base.c). You can only set the loginuid on
yourself.
I am gobsmacked !
I hope I missed something.
And besides, any root process can run auditctl -e 0 and disable the audit
system (unless it was marked immutable).
-Steve