On 11/9/19 8:39 AM, Steve Grubb wrote:

> On Fri, 8 Nov 2019 13:39:58 -0700
> "John T Olson" <jtol...@us.ibm.com> wrote:
>> Greetings,
>> I have the following 2 audit rules set up:
>> -a always,exit -F arch=b64 -S all -F exit=-EACCES -F dir=/gpfs/fs1
>> -a always,exit -F arch=b64 -S all -F exit=-EPERM -F dir=/gpfs/fs1
>> I have a directory structure like the following:
>> (13:15:26) zippleback-vm1:~ # ls -la /gpfs/fs1/test/
>> total 257
>> drwx------.  3 root root   4096 Nov  7 12:46 .
>> drwxr-xr-x. 15 root root 262144 Nov  7 12:50 ..
>> drwx------.  2 root root   4096 Nov  7 12:46 test2
>> Essentially, directory "/gpfs/fs1/test/" is owned by root and has
>> permissions 700.  The subdirectory underneath it (with
>> path /gpfs/fs1/test/test2) is also owned by root and has permissions
>> 700.
>> When I have a non-root user attempt to list the contents of directory
>> "/gpfs/fs1/test/" I receive an audit message for the denied access.
>> However, when the non-root user attempts to list the contents of the
>> subdirectory (/gpfs/fs1/test/test2), there is no audit message
>> generated. Does anyone know why this is and how I get audit messages
>> in both cases?
> Yes, the reason is because the path did not resolve so audit never saw
> it. This has been this way for quite some time. In the past, it was
> said because the path never resolved, a PATH record with all attributes
> could not be generated. I have mentioned to kernel maintainers, that
> the path is available as a syscall argument. While a full PATH record
> cannot be generated with file attributes, an abbreviated one could be
> generated. So, far...no one has saw this as a big enough problem to
> fix. Personally, I think it should be fixed.
At first blush, I completely agree. However, I'm wondering if the first
attempt completely failed, how would the second one even have the
knowledge of the unattainable path?

In the real world if the first one failed (in this example
/gpfs/fs1/test), because although the parent directory would list the
test directory, it is not reachable. But the listing of that oneĀ  would
not happen at all (/gpfs/fs1/test/test2), because the non-root user had
no access to the listing dir (/gpfs/fs1/test). The caller would have had
to gain knowledge of its existence through other means.

I wonder if even acknowledging its existence via a "denied access" event
would be slightly counter-productive? The abbreviated PATH would be
nice, and since it is there, sure, why not? Then, if all calls either to
non-existent or say access-denied paths looked the same, then that would
be fine I think. I would not be as happy if one could sniff out
inaccessible directories (as opposed to non-existent) from audited
events though.


Lenny Bruzenak

Linux-audit mailing list

Reply via email to