[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: setuid logging
On Tue, Jun 01, 2004 at 09:47:27PM -0700, Matt Provost wrote:
+> Here's a patch to enable setuid logging in -current. I've tested it on
+> i386/GENERIC which is the only platform that I have. Skipping the find
+> that /etc/security runs every night really cuts down the amount of time
+> that it takes to run. To enable it, `sysctl fs.logsetuid=1`. It's also
+> only been tested on FFS but I don't see why it shouldn't work on other
+> filesystems (unless there is a problem with the inode numbers?).
+> The chmod system call will now output lines like:
+> /bsd: Setuid bit set by uid 1000 on file /tmp/a in filesystem mounted on /
Are you sure you always log full path? If not, you probably want to log
current directory as well, or you want to do in-kernel realpath().
+> fchmod doesn't have any idea what the filename is, so for now it just
+> prints out the inode number, like:
+> /bsd: Setuid bit set by uid 0 on inode 101240 in filesystem mounted
+> nosuid on /var
+> So it would be possible to do a `find /var -inum 101240` to locate the
+> file. It might be possible to try and find the vnode in the namei cache
+> but I haven't done that yet.
This could be far from trivial.
Pawel Jakub Dawidek http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
[demime 0.98d removed an attachment of type application/pgp-signature]