On Wed, Jan 05, 2005 at 03:49:31PM -0800, Casey Schaufler wrote:
inetd (or xinetd if you're living in the 21st
century) must set the audit flags for the child
process it spawns, as well as the audit user id.
xinetd invokes a child to perform an action on a
user's behalf, which means that the action must be
audited as that user is audited.
It's a bit more complex than this - CAPP requires that any actions on
behalf of a user happen only after authentication, which is done
centrally through PAM on Linux systems. Putting the audit hooks in PAM
ensures that any user actions can be audited properly after
authentication.
If there has been no authentication, the actions must not be considered
to be on behalf of a specific user. Note that running as a non-root UID
doesn't automatically mean that it corresponds to a human user. But it's
obviously unacceptable to run anything with the rights of a human user
based on data received from the network if the authentication steps were
not done. This rules out passwordless rsh and similar abominations.
The same type of problem appears for cron and at, these services must
ensure that the commands get run with the credentials of the user who
submitted them.
-Klaus