Re: audit 0.9.12 released
On Thursday 23 June 2005 17:08, David Woodhouse wrote:
If you send a message and disappear without waiting for the ack,
then
your message may or may not get logged. If it _is_ logged, then it'll be
logged with the correct credentials.
uid, pid, and loginuid are the only things collected by netlink for the
sender's credentials. Another app could reuse the pid by the time the netlink
message is processed. The lookup will succeed, but the check is against the
wrong process.
I think it's OK to declare that sending a message without waiting
for
the ack is not guaranteed to work.
We make no requirements for this anywhere else. We just need to filter against
the netlink credentials since that is all we know to be true.
I'm more interested in finding the real reason why it didn't
work. Were
you setting the syscall bitmask to all ones in auditctl?
Yes.
-Steve