On Wed, Mar 21, 2012 at 1:12 PM, Steve Grubb <[email protected]> wrote: > On Wednesday, March 21, 2012 12:38:06 PM Peter Moody wrote: >> On Tue, Mar 20, 2012 at 11:07 AM, Steve Grubb <[email protected]> wrote: >> > On Friday, March 16, 2012 05:50:56 PM Peter Moody wrote: >> >> line 1162 in auditctl.c has this: >> >> >> >> #ifndef DEBUG >> >> /* Make sure we are root */ >> >> if (getuid() != 0) { >> >> fprintf(stderr, "You must be root to run this program.\n"); >> >> return 4; >> >> } >> >> #endif >> >> >> >> Is there any particular reason to use getuid() there as opposed to >> >> geteuid()? >> > >> > I suppose it doesn't matter. I never envisioned having a helper >> > application, so that why its the way it is. Since we are optionally >> > linking in libcap-ng, I suppose we could even check the capability >> > rather than the euid. >> >> Just the CAP_AUDIT_CONTROL capability? > > On the -m command, it instead needs CAP_AUDIT_WRITE.
Actually, is there any reason that check can't just be removed to allow the kernel to reply with an error if an unprivileged/uncapable user tries executing auditctl? requiring CAP_AUDIT_WRITE seems strange if the user is just executing auditctl -h or auditctl -v (though those are the only two commands I can see that a normal user should be able to execute). >> > Also note that >> > for certification purposes the file permissions are restricted. >> >> The permissions of the auditctl binary? > > Yes. We ship it 0750. > > -Steve -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
