Hi, Looking at the code for proc_loginuid_write() in Linus' git tree, the capability CAP_AUDIT_CONTROL is needed to write to /proc/pid/loginuid and generate LOGIN type records. This seems to run counter to the capabilities(7) manpage, which suggests that CAP_AUDIT_CONTROL is to "Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules", whereas CAP_AUDIT_WRITE is to "Allow records to be written to kernel auditing log."
Should the following patch be applied, or am I misunderstanding
something? It doesn't seem quite right that anything that makes use of
pam_loginuid.so should need to be granted the capability that allows
enabling and disabling kernel auditing or changing filter rules.
Signed-off-by: Steve Beattie <[EMAIL PROTECTED]>
---
fs/proc/base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: kernel-linus/fs/proc/base.c
===================================================================
--- kernel-linus.orig/fs/proc/base.c
+++ kernel-linus/fs/proc/base.c
@@ -741,7 +741,7 @@ static ssize_t proc_loginuid_write(struc
ssize_t length;
uid_t loginuid;
- if (!capable(CAP_AUDIT_CONTROL))
+ if (!capable(CAP_AUDIT_WRITE))
return -EPERM;
if (current != pid_task(proc_pid(inode), PIDTYPE_PID))
Thanks.
--
Steve Beattie
SUSE Labs, Novell Inc.
<[EMAIL PROTECTED]>
http://NxNW.org/~steve/
pgplhLOrCqDmS.pgp
Description: PGP signature
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
