Re: [PATCH] Fix acct quoting in audit_log_acct_message())
John Dennis wrote:
Eric Paris wrote:
> it needs to stay an untrusted string, but its name, well yeah, that
> doesn't tell us a whole lot, does it?
It's the untrusted string code which is the primary culprit. If we fixed
audit so that *all* strings written by audit are formatted by exactly
one string formatting routine and that routine is sane then 99.99% of
the problems would go away. That was the thrust of my original email and
what I was most concerned about. Perhaps unfortunately the email
included some optional suggestions which is what some folks latched onto
obscuring the real issue.
I'm including a link to the original mail for reference.
https://www.redhat.com/archives/linux-audit/2008-January/msg00082.html
The primary problem is the inconsistent use of quotes around string
values with the result it's impossible to know if a string value should
have hexadecimal decoding performed on it. Currently the only way to
solve the problem is to have a table of every audit message and field
and to have such a table for every kernel version.
Of secondary concern is the fact hexadecimal encoded strings are not
human readable whereas more conventional string escapes preserve
readbility (to varying degrees).
--
John Dennis <jdennis(a)redhat.com>