Danek Duvall wrote: > On Thu, Nov 13, 2008 at 10:22:27AM +0000, Darren J Moffat wrote: > >> Calling getauid() requires the proc_audit privilege. > > Yeah, I looked into it a bit further. Requires bsmconv to be turned on, > too. Shame there isn't a safe way to get the logged-in user.
[ moving this thread to audit-discuss@ ] We hope to remove the need for an explicit enabling step and have auditing always on (but not recording anything in the default config) however there are still some performance issues that need to be resolved before we get there. We have also discussed having the ability to call getauid() without needing privilege. Currently we can't do that for Solaris 10 because it would require changes to our Common Criteria Security Target (costing Sun real money). However we may be able to do this for OpenSolaris and Solaris.next releases. We would still keep some of the other audit data held about a user/process such that retrieving it requires privilege. One of the reasons we want to solve this problem is to help with passing the audit identity across and ssh session (particular for remote role assumption). None of this is committed or funded work at this time though. -- Darren J Moffat _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
