--- Steve Beattie <[EMAIL PROTECTED]> wrote: > Hi, > > Looking at the code for proc_loginuid_write() in > Linus' git tree, the > capability CAP_AUDIT_CONTROL is needed to write to > /proc/pid/loginuid > and generate LOGIN type records. This seems to run > counter to the > capabilities(7) manpage, which suggests that > CAP_AUDIT_CONTROL is to > "Enable and disable kernel auditing; change auditing > filter rules; > retrieve auditing status and filtering rules", > whereas CAP_AUDIT_WRITE > is to "Allow records to be written to kernel > auditing log." > > Should the following patch be applied, or am I > misunderstanding something?
The latter. CAP_AUDIT_WRITE allows you to create audit records, and that's it. It does not allow you to change how they're managed, which is an important aspect of the loginuid of a process. Updating the loginuid changes information that will go into audit records, and that is strongly related to "filtering rules". > It doesn't seem quite right that anything > that makes use of > pam_loginuid.so should need to be granted the > capability that allows > enabling and disabling kernel auditing or changing > filter rules. Although the current audit system doesn't do so (at least, I don't think it does, I could be wrong) specifiying audit charactoristics on a per-session basis would require that capability. Casey Schaufler [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
