[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: setuid logging



On Jun 02 10:55 AM, Pawel Jakub Dawidek wrote:
> On Tue, Jun 01, 2004 at 09:47:27PM -0700, Matt Provost wrote:
> +> Here's a patch to enable setuid logging in -current. I've tested it on
> +> i386/GENERIC which is the only platform that I have. Skipping the find
> +> that /etc/security runs every night really cuts down the amount of time
> +> that it takes to run. To enable it, `sysctl fs.logsetuid=1`. It's also
> +> only been tested on FFS but I don't see why it shouldn't work on other
> +> filesystems (unless there is a problem with the inode numbers?).
> +> 
> +> The chmod system call will now output lines like:
> +> /bsd: Setuid bit set by uid 1000 on file /tmp/a in filesystem mounted on /
> 
> Are you sure you always log full path? If not, you probably want to log
> current directory as well, or you want to do in-kernel realpath().
> 

Thanks, I'll try and add the current dir. Is there any better way to get
the full path of a vnode from inside the kernel?

> +> FCHMOD doesn't have any idea what the filename is, so for now it just
> +> prints out the inode number, like:
> +> /bsd: Setuid bit set by uid 0 on inode 101240 in filesystem mounted
> +> nosuid on /var
> +> 
> +> So it would be possible to do a `find /var -inum 101240` to locate the
> +> file. It might be possible to try and find the vnode in the namei cache
> +> but I haven't done that yet.
> 
> This could be far from trivial.

Yup that's why I didn't try it.

> 
> -- 
> Pawel Jakub Dawidek                       http://www.FreeBSD.org
> pjd_(_at_)_FreeBSD_(_dot_)_org                           http://garage.freebsd.pl
> FreeBSD committer                         Am I Evil? Yes, I Am!