Executable permissions - Linux-audit - Linux-Audit List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Executable permissions

RE: Linux-audit Digest, Vol 27,...

audit rules file and Defense...

Karl MacMillan

Wednesday, 13 December 2006 Wed, 13 Dec '06

10 a.m.

Is there a reason that the audit tools that take a file name paramater (-if) are not executable by non-root users? This prevents their use by an admin to do analysis of saved audit logs with an unprivileged user login. Thanks - Karl

Reply

Show replies by date

Steve Grubb

Wednesday, 13 December Wed, 13 Dec

10:11 a.m.

On Wednesday 13 December 2006 11:00, Karl MacMillan wrote:

Is there a reason that the audit tools that take a file name paramater (-if) are not executable by non-root users?

Current tools do not. [root src]# grep getuid *.c auditctl.c: if (getuid() != 0) { auditctl.c: if (getuid() != 0) { Must be root to send netlink auditd.c: if (getuid() != 0) { Must be root to read netlink autrace.c: if (getuid() != 0) { Must be root to write to netlink. -Steve

Reply

Linda Knippers

10:19 a.m.

Steve Grubb wrote:

On Wednesday 13 December 2006 11:00, Karl MacMillan wrote: >Is there a reason that the audit tools that take a file name paramater >(-if) are not executable by non-root users? Current tools do not. [root src]# grep getuid *.c auditctl.c: if (getuid() != 0) { auditctl.c: if (getuid() != 0) { Must be root to send netlink auditd.c: if (getuid() != 0) { Must be root to read netlink autrace.c: if (getuid() != 0) { Must be root to write to netlink.

I think Karl is talking about the mode bits. The audit tools are 750, owned by root,root, on my system, so not executable by non-root users. -- ljk

Reply

Karl MacMillan

10:20 a.m.

Steve Grubb wrote:

On Wednesday 13 December 2006 11:00, Karl MacMillan wrote: > Is there a reason that the audit tools that take a file name paramater > (-if) are not executable by non-root users? Current tools do not.

[root@localhost ~]# ls -l /sbin/au* -rwxr-x--- 1 root root 3080 Dec 1 11:37 /sbin/audispd* -rwxr-x--- 1 root root 88216 Dec 1 11:37 /sbin/auditctl* -rwxr-x--- 1 root root 96068 Dec 1 11:37 /sbin/auditd* -rwxr-x--- 1 root root 102864 Dec 1 11:37 /sbin/aureport* -rwxr-x--- 1 root root 115420 Dec 1 11:37 /sbin/ausearch* -rwxr-x--- 1 root root 68816 Dec 1 11:37 /sbin/autrace* [root@localhost ~]# rpm -qa | grep audit audit-libs-1.3-3.fc7 audit-1.3-3.fc7 audit-libs-python-1.3-3.fc7 audit-libs-devel-1.3-3.fc7 It's not the code, but rather the default permissions on the executables. So this might just be a packaging problem. Thanks - Karl

Reply

Steve Grubb

11:14 a.m.

On Wednesday 13 December 2006 11:20, Karl MacMillan wrote:

So this might just be a packaging problem.

Yeah, I think I can open it for those two programs. -Steve

Reply

6583

days inactive

6583

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

4 comments

3 participants

tags (0)

participants (3)

Karl MacMillan
Linda Knippers
Steve Grubb