Re: setuid logging

[Pawel Jakub Dawidek <pjd@FreeBSD.org>]

On Tue, Jun 01, 2004 at 09:47:27PM -0700, Matt Provost wrote:
+> Here's a patch to enable setuid logging in -current. I've tested it on
+> i386/GENERIC which is the only platform that I have. Skipping the find
+> that /etc/security runs every night really cuts down the amount of time
+> that it takes to run. To enable it, `sysctl fs.logsetuid=1`. It's also
+> only been tested on FFS but I don't see why it shouldn't work on other
+> filesystems (unless there is a problem with the inode numbers?).
+>
+> The chmod system call will now output lines like:
+> /bsd: Setuid bit set by uid 1000 on file /tmp/a in filesystem mounted on /

Are you sure you always log full path? If not, you probably want to log
current directory as well, or you want to do in-kernel realpath().

+> fchmod doesn't have any idea what the filename is, so for now it just
+> prints out the inode number, like:
+> /bsd: Setuid bit set by uid 0 on inode 101240 in filesystem mounted
+> nosuid on /var
+>
+> So it would be possible to do a `find /var -inum 101240` to locate the
+> file. It might be possible to try and find the vnode in the namei cache
+> but I haven't done that yet.

This could be far from trivial.

--
Pawel Jakub Dawidek                       http://www.FreeBSD.org
pjd@FreeBSD.org                           http://garage.freebsd.pl
FreeBSD committer                         Am I Evil? Yes, I Am!

[demime 0.98d removed an attachment of type application/pgp-signature]