[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: setuid logging
- To: tech_(_at_)_openbsd_(_dot_)_org
- Subject: Re: setuid logging
- From: Matt Provost <mprovost_(_at_)_termcap_(_dot_)_net>
- Date: Wed, 2 Jun 2004 11:07:28 -0700
- Mail-followup-to: tech_(_at_)_openbsd_(_dot_)_org
On Jun 02 10:55 AM, Pawel Jakub Dawidek wrote:
> On Tue, Jun 01, 2004 at 09:47:27PM -0700, Matt Provost wrote:
> +> Here's a patch to enable setuid logging in -current. I've tested it on
> +> i386/GENERIC which is the only platform that I have. Skipping the find
> +> that /etc/security runs every night really cuts down the amount of time
> +> that it takes to run. To enable it, `sysctl fs.logsetuid=1`. It's also
> +> only been tested on FFS but I don't see why it shouldn't work on other
> +> filesystems (unless there is a problem with the inode numbers?).
> +> The chmod system call will now output lines like:
> +> /bsd: Setuid bit set by uid 1000 on file /tmp/a in filesystem mounted on /
> Are you sure you always log full path? If not, you probably want to log
> current directory as well, or you want to do in-kernel realpath().
Thanks, I'll try and add the current dir. Is there any better way to get
the full path of a vnode from inside the kernel?
> +> FCHMOD doesn't have any idea what the filename is, so for now it just
> +> prints out the inode number, like:
> +> /bsd: Setuid bit set by uid 0 on inode 101240 in filesystem mounted
> +> nosuid on /var
> +> So it would be possible to do a `find /var -inum 101240` to locate the
> +> file. It might be possible to try and find the vnode in the namei cache
> +> but I haven't done that yet.
> This could be far from trivial.
Yup that's why I didn't try it.
> Pawel Jakub Dawidek http://www.FreeBSD.org
> pjd_(_at_)_FreeBSD_(_dot_)_org http://garage.freebsd.pl
> FreeBSD committer Am I Evil? Yes, I Am!
Visit your host, monkey.org