[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [patch] Syscall auditing - move "name=" field to the end



On Thursday 17 March 2005 12:30 pm, Chris Wright wrote:
> * Kris Wilson (krisw us ibm com) wrote:
> > > I don't think this patch is enough -- either we need to escape the text
> > > completely or just dump it as hex instead of a string. One option would
> > > be to dump it in quotes as a string if all chars in the string are in
> > > the range 0x20-0x7e, and as hex otherwise. That slightly complicates
> > > the parsing, but not by much, and still gives you plain text in the
> > > majority of cases while protecting against abuse.
> >
> > Dumping in hex instead of string would have a testing impact.  Using a
> > string in quotes would be a
> > smaller hit, but there still would be additional impact to test the "hex
> > otherwise" case.
>
> We need to do something, as it is the data can't be trusted.  It's a way
> for user to possibly inject false audit messages.  And most characters
> are valid in pathnames.
>
> thanks,
> -chris

Let's rewrite Linux.  J/K.  But all jokes aside, can't we just log out the 
length of the name= field with the rest of the record, ie: name_len=7 
name=linux\n\0?

-tim


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]