On Tue, Mar 20, 2012 at 11:07 AM, Steve Grubb <[email protected]> wrote: > On Friday, March 16, 2012 05:50:56 PM Peter Moody wrote: >> line 1162 in auditctl.c has this: >> >> #ifndef DEBUG >> /* Make sure we are root */ >> if (getuid() != 0) { >> fprintf(stderr, "You must be root to run this program.\n"); >> return 4; >> } >> #endif >> >> Is there any particular reason to use getuid() there as opposed to >> geteuid()? > > I suppose it doesn't matter. I never envisioned having a helper application, > so > that why its the way it is. Since we are optionally linking in libcap-ng, I > suppose we could even check the capability rather than the euid.
Just the CAP_AUDIT_CONTROL capability? > Also note that > for certification purposes the file permissions are restricted. The permissions of the auditctl binary? > -Steve > >> In my particular case, we have a setuid helper that allows >> a normal user to run 'auditctl -l' (with a clean environment), and >> this prevents the setuid helper from working. -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
