Hi Mr. Grubby, When I set "dispatcher = /mydir/audispd" in /etc/audit/auditd.conf and make the mode of /mydir/audispd to 0755, auditd can be started successfully. But I found in the codes that such file like "/mydir/audispd" is hoped as 0750. There is a little error in comparing the file's mode, "S_IRWXO" should be used not just "S_IWOTH", otherwise the file is allowed to be readable or executable by others. There is the same bug in check_exe_name(). This bug will allow the script of "exec /path-to-script" to be readable or executable by others. Here is my patch for audit-1.7.4. Hope for your opinion about such modification. Signed-off-by: Chu Li<chul(a)cn.fujitsu.com> --- diff --git a/src/auditd-config.c b/src/auditd-config.c index a7a939e..fc2fd48 100644 --- a/src/auditd-config.c +++ b/src/auditd-config.c @@ -629,7 +629,7 @@ static int dispatch_parser(struct nv_pair *nv, int line, audit_msg(LOG_ERR, "%s is not owned by root", nv->value); return 1; } - if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IWOTH)) != + if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) != (S_IRWXU|S_IRGRP|S_IXGRP)) { audit_msg(LOG_ERR, "%s permissions should be 0750", nv->value); return 1; @@ -869,7 +869,7 @@ static int check_exe_name(const char *val) audit_msg(LOG_ERR, "%s is not owned by root", val); return -1; } - if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IWOTH)) != + if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) != (S_IRWXU|S_IRGRP|S_IXGRP)) { audit_msg(LOG_ERR, "%s permissions should be 0750", val); return -1; Regards Chu Li