From: Steve Grubb <sgrubb@redhat.com>
To: Lenny Bruzenak <lenny@magitekltd.com>
Cc: linux-audit@redhat.com
Subject: Re: useradd question
Date: Wed, 22 May 2019 13:34:34 -0400 [thread overview]
Message-ID: <1895815.SLc6sCx9v7@x2> (raw)
In-Reply-To: <75873a5b-255c-9b31-1b0e-6a1552021ab1@magitekltd.com>
On Monday, May 20, 2019 4:05:55 PM EDT Lenny Bruzenak wrote:
> On 5/20/19 2:59 PM, Steve Grubb wrote:
> > So...I went digging through the source code of useradd.c. In main is this
> >
> > comment:
> > /*
> >
> > * Do the hard stuff:
> > * - open the files,
> > * - create the user entries,
> > * - create the home directory,
> > * - create user mail spool,
> > * - flush nscd caches for passwd and group services,
> > * - then close and update the files.
> > */
> >
> > If you dig around, you'll see in the above process it calls usr_update().
> > This is where the audit event is. The very next function call is
> > close_files. This is where it actually writes to the files where it
> > would be visible to auditd. So, it looks like auditing in shadow-utils
> > is busted.
> >
> > I also see where its calling pam_tally2 which is deprecated for years. It
> > should be calling faillock. I'll chat with upstream maintainers.
>
> Thank you Steve, much appreciated! If they are able to provide a patch,
> would you mind asking them to send me a link and I'll test it ASAP?
I think this is the right fix:
diff -urp shadow-4.6.orig/src/useradd.c shadow-4.6/src/useradd.c
--- shadow-4.6.orig/src/useradd.c 2019-05-21 08:26:12.533328554 -0400
+++ shadow-4.6/src/useradd.c 2019-05-22 12:21:46.305293997 -0400
@@ -1955,9 +1955,14 @@ static void usr_update (void)
#endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT
+ /*
+ * Even though we have the ID of the user, we won't send it now
+ * because its not written to disk yet. After close_files it is
+ * and we can use the real ID thereafter.
+ */
audit_logger (AUDIT_ADD_USER, Prog,
"add-user",
- user_name, (unsigned int) user_id,
+ user_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif
/*
next prev parent reply other threads:[~2019-05-22 17:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-16 23:00 useradd question Lenny Bruzenak
2019-05-17 12:44 ` Steve Grubb
2019-05-20 15:39 ` Lenny Bruzenak
2019-05-20 19:59 ` Steve Grubb
2019-05-20 20:05 ` Lenny Bruzenak
2019-05-20 20:12 ` Steve Grubb
2019-05-22 17:34 ` Steve Grubb [this message]
2019-05-22 18:23 ` Lenny Bruzenak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1895815.SLc6sCx9v7@x2 \
--to=sgrubb@redhat.com \
--cc=lenny@magitekltd.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.