Bug#560281: this is not a bug in auditd

Wed, 23 Jun 2010 17:18:16 -0700 

reassign 560281 auditd
thanks

Hi Russell,

On Mon, Jun 21, 2010 at 11:18:38PM +1000, Russell Coker wrote:
> reassign 560281 libpam0g
> thanks

> The auid is not set by auditd, it is set by the login program.

> session required        pam_loginuid.so

> A line like the above in the PAM configuration will cause it to be set.  In a 
> quick test it seems that the Debian kernel allows it to be changed once it 
> has 
> been set - which I think shouldn't be possible.

> Anyway, the fact that it's not set by default seems to be a bug in the 
> default 
> PAM configuration, so I'm reassigning it.  There may be a kernel bug in 
> allowing it to be reset but that's a separate issue.

I'm not terribly familiar with pam_loginuid, but the manpage reads:

    This PAM module should only be used for entry point applications like:
    login, sshd, gdm, vsftpd, crond and atd.  There are probably other entry
    point applications besides these. You should not use it for applications
    like sudo or su as that defeats the purpose by changing the loginuid to
    the account they just switched to.

If this is accurate, then this is not a bug in libpam0g; the PAM
configurations are controlled by the respective packages implementing the
services, there's no way for libpam0g to declare that this module should be
used for services (x,y,z) but not services (a,b,c).

If your point is that the kernel allowing the audit id to be changed once
set is a bug and pam_loginuid should just be enabled for all services in the
meantime, I disagree that we should do this by default.  My understanding is
that pam_loginuid is only useful when operating in conjunction with auditd;
if this is true, then we shouldn't enable it by default - we should only
enable it when auditd has been installed to avoid unnecessary overhead /
complexity in the PAM stack.  That's easily achieved by having the auditd
package ship a profile for pam-auth-update in /usr/share/pam-configs as
described in <https://wiki.ubuntu.com/PAMConfigFrameworkSpec> and set the
appropriate versioned dependencies on libpam-modules and libpam-runtime. 
I'd be happy to help with the implementation of this if you agree this is
the correct way to handle it.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slanga...@ubuntu.com                                     vor...@debian.org

Attachment: signature.asc
Description: Digital signature

Reply via email to