Re: [Vserver] audit interface

From: Serge E. Hallyn <serue_at_us.ibm.com>
Date: Mon 14 Nov 2005 - 12:54:23 GMT
Message-ID: <20051114125422.GB1528@IBM-BWN8ZTBWAO1>

Quoting Gregory (Grisha) Trubetskoy (grisha@ispol.com):
>
> On Thu, 14 Jul 2005, Enrico Scholz wrote:
>
> >enrico.scholz@sigma-chemnitz.de (Enrico Scholz) writes:
> >
> >>| # auditctl -m 'foo'
> >>| Error sending user message request (Operation not permitted)
> >>...
> >>This gives problems on Fedora Core 4 as recent pam upgrade is
> >>using this functionality and most actions (su, cron) will fail
> >>therefore.
> >
> >Quick workaround is to add '^29' to the 'bcapabilities' of the
> >corresponding vserver. Next util-vserver version will probably
> >implicate this with the '--secure' option (after I decided how to
> >deal with the CAP_QUOTACTL vs. CAP_AUDIT_WRITE conflict).
>
> This didn't work for me (just to make "su -" work), it seems that I needed
> ^30 (CAP_AUDIT_CONTROL).
>
> Does anyone here know what the security implication of this is? We don't
> run auditd.

IIRC I originally added this capability... It's too coarse-grained for
my liking, but only applicable to audit. It allows your process to change
its loginuid, which you see reported in the audit msgs, but which is
not used for any authentication. (same bit allows adding/del'ing/listing
audit rules, iirc)

For vserver, loginuid should probably always be reported along with the
vserver id, I guess...

-serge

_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Mon Nov 14 12:54:49 2005

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Mon 14 Nov 2005 - 12:54:53 GMT by hypermail 2.1.8