On Fri, 2005-02-04 at 10:58 -0600, Serge E. Hallyn wrote:
Most audit control messages are sent over netlink. In order to
properly
log the identity of the sender of audit control messages, we would like
to add the loginuid to the netlink_creds structure, as per the attached
patch.
I think it would be better to leave the loginuid in the payload of the
audit packets, not put it into generic netlink structures.
In the common case where audit messages are being generated by the
kernel, the loginuid can be trusted anyway, and doesn't need to be
handled by netlink.
The only time it's possibly worth verifying it is for the case where
userspace is sending AUDIT_USER messages -- for which the process needs
CAP_AUDIT_WRITE anyway. And if you're then going to trust the rest of
what that process sends, what's wrong with trusting the loginuid which
it provides too?
Why should it be impossible for a trusted logging dæmon to log actions
of another process, running with a loginuid other than the loginuid of
the dæmon?
--
dwmw2