[PATCH] Fix acct quoting in audit_log_acct_message())

Eric Paris eparis at redhat.com
Tue Mar 4 21:55:20 UTC 2008 

On Tue, 2008-03-04 at 16:38 -0500, Steve Grubb wrote:
> On Tuesday 04 March 2008 16:21:01 John Dennis wrote:
> > These are the encoded audit strings in kernel 2.6.24 (Fedora):
> 
> Reorganized:
> 
> 
> Field		24		18		auparse
> a[0-9]+	X
> acct						X
> cmd						X
> comm	X		X		X
> cwd		X		X		X
> data		X
> dir		X				X
> exe		X		X		X
> file						X
> key		X		X		X
> msg		X
> name	X		X		X
> new		X		X
> old		X		X
> path		X		X		X
> watch					X

you formatting didn't come through, but we both agree auparse doesn't
get them all (for better or worse) and 2.6.24 only adds new stuff, it
doesn't remove?

> Of these, A0-4 is probably from the execve patch. I have no idea what the 
> status of this patch is and if its upstream. I've not seen the records so 
> this would be something very new.

execve could always turn A0-infinity into hex.  And currently upstream
and RHEL5.2 kernels both can do so....

> acct & cmd is a userspace thing
> 
> data, I need to go hunt this down. I don't like the name so it will probably 
> need to change in the kernel

maybe audit tty stuff?  I don't see it in auditsc.c or audit.c (just a
guess)
> 
> msg, name collision it has to change wherever it is in the kernel

not sure what this means...  I only see msg used in one place, but it is
a great example of non-standardization which should be cleaned up....

                        if (msg_type != AUDIT_USER_TTY)
                                audit_log_format(ab, " msg='%.1024s'",
                                                 (char *)data);
                        else {  
                                int size;

                                audit_log_format(ab, " msg=");
                                size = nlmsg_len(nlh);
                                audit_log_n_untrustedstring(ab, size,
                                                            data);
                        }

The top case will surround these with '' which the bottom will surround
with ""

> new, old, these sound like bugs. They need to get fixed in the kernel

new and old are from audit config changes.  Am i really expected to
trust what came down the netlink socket from userspace was sane?  nope
nope nope.  I don't trust userspace.  Even though 10 times out of 10
these are going to be normal strings they need to remain calls to
untrusted string just in case.

> 
> file & watch are probably legacy from RHEL4 I think. It can probably be 
> deleted.

dont see them in my kernels
> 
> -Steve

More information about the Linux-audit mailing list