About this list Date view Thread view Subject view Author view Attachment view

From: Enrico Scholz (enrico.scholz_at_sigma-chemnitz.de)
Date: Sun 17 Jul 2005 - 12:52:49 BST

herbert_at_13thfloor.at (Herbert Poetzl) writes:

>> > it seems to be impossible to use the audit (CONFIG_AUDIT) interface
>> > of the kernel within a vserver:
>> >
>> > | # auditctl -m 'foo'
>> > | Error sending user message request (Operation not permitted)
>> > ...
>> > This gives problems on Fedora Core 4 as recent pam upgrade
>> > is using this functionality and most actions (su, cron) will
>> > fail therefore.
>> hmm, does anybody know why pam would want to do syscall
>> auditing in the first place? I'm a little lost here actually
>> ...
> ah, looks like redhat is patching again ...
> http://people.redhat.com/sgrubb/audit/pam-0.78-loginuid.patch
> so I guess it's fine to remove pam_loginuid.so for now
> until the auditing interface is virtualized ...

Ok, as expected, the NETLINK problem can be solved by giving
CAP_AUDIT_WRITE permissions by default.

Next problem is a

| [pid 10153] open("/proc/self/loginuid", O_WRONLY|O_TRUNC|O_NOFOLLOW) = -1 EPERM (Operation not permitted)

Hiding /proc/self/loginuid (so that open(2) returns with -ENOENT)
seems to make newer pam_loginuid happy[1]. As this can not be done
with procfs-security, would it be possible to hide the "loginuid"
entry statically for context!=0? (I guess, making it writable is
more complicated than hiding it).


[1] http://cvs.fedora.redhat.com/viewcvs/rpms/pam/FC-4/pam-0.79-cleanup-redhat.patch?r1=1.3&r2=1.4

\ /    ASCII Ribbon Campaign
 X   against HTML email & vCards
/ \             http://www.harley.com/turn-off-html/
Vserver mailing list

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sun 17 Jul 2005 - 12:53:19 BST by hypermail 2.1.3