From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=0.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI, PDS_BAD_THREAD_QP_64,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 34B3AC433DB for ; Thu, 4 Mar 2021 16:00:08 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4722F64F44 for ; Thu, 4 Mar 2021 16:00:07 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4722F64F44 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=circontrol.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-454-v1HP2jurPf-5cMyDiY-U-g-1; Thu, 04 Mar 2021 11:00:03 -0500 X-MC-Unique: v1HP2jurPf-5cMyDiY-U-g-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 98481814314; Thu, 4 Mar 2021 15:59:59 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 16D3C1009962; Thu, 4 Mar 2021 15:59:59 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id DCF021809C86; Thu, 4 Mar 2021 15:59:56 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 124FjCmJ018472 for ; Thu, 4 Mar 2021 10:45:13 -0500 Received: by smtp.corp.redhat.com (Postfix) id AB725572563; Thu, 4 Mar 2021 15:45:12 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A1F96571B4D for ; Thu, 4 Mar 2021 15:45:09 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 17A711018AA8 for ; Thu, 4 Mar 2021 15:45:09 +0000 (UTC) Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2134.outbound.protection.outlook.com [40.107.21.134]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-285-gvvdpzrRNwSujaHe_ZM17Q-1; Thu, 04 Mar 2021 10:45:05 -0500 X-MC-Unique: gvvdpzrRNwSujaHe_ZM17Q-1 Received: from AM6PR05MB5928.eurprd05.prod.outlook.com (2603:10a6:20b:a4::26) by AM6PR05MB6088.eurprd05.prod.outlook.com (2603:10a6:20b:ad::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.28; Thu, 4 Mar 2021 15:45:03 +0000 Received: from AM6PR05MB5928.eurprd05.prod.outlook.com ([fe80::fc1a:570d:9ac4:fac5]) by AM6PR05MB5928.eurprd05.prod.outlook.com ([fe80::fc1a:570d:9ac4:fac5%6]) with mapi id 15.20.3890.029; Thu, 4 Mar 2021 15:45:03 +0000 From: Ivan Castell To: "linux-audit@redhat.com" Subject: auditd daemon is changing /tmp permissions Thread-Topic: auditd daemon is changing /tmp permissions Thread-Index: AQHXEQx+rXTLbAXA5EecYEw87VbP4Q== Date: Thu, 4 Mar 2021 15:45:03 +0000 Message-ID: Accept-Language: es-ES, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2.154.246.118] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: bf4a9646-e02b-4c99-6a67-08d8df247a3a x-ms-traffictypediagnostic: AM6PR05MB6088: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:6108 x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0 x-microsoft-antispam-message-info: Ocqyal7LnJeE4T7MlyKmbB5MYQKhw66wVLeE4ngFSuw5cz8tAUZBA0N9C5b1BjJp7N0ZZL6AXuzSdqOcHXWRI7EG/lLm7nVyc1tiJAmMUF8yaqUm0GO8zb/XBIb9OH2cu+I+hzzkHkB8JIzvuISmZls1Dg000RELc59LWaYBvVrytVOeqquyDP2b1M1pj3Ucq37KyrQObb8ekIOAhzD14cdlDLrhaLEQv+gW+uXRscNe4CMzrk+sfGyleIJRjha4CBtckxewfOLxc7NHUXzXTmsAPE2atpOvdkUPt1q/vzirpBKXvzDEWzC1CaGg1Xa0Z7oRl6kD6Pz5iZ7ykwh5V9ndGsUlLNxoNRv11yFDpeVTegRptOA7UuzS5peiF/X5t1XZCJaLwZ1komLlMI3JoHohWxgsplLuvywNJt4/dCmxDpaiVoXKfoVRQLnztAoc94KTrhBLKpGZS11/TNZFuAlnWxP5aqAZRzheNkpD5gHOu/tIAv8AIZBQl9cnIQ2zHg6Q2ooREVyCjqCGAtDX8Q== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR05MB5928.eurprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(39840400004)(396003)(136003)(366004)(346002)(55016002)(4744005)(66556008)(76116006)(66446008)(6916009)(7696005)(66946007)(64756008)(478600001)(86362001)(91956017)(5660300002)(66476007)(6506007)(8936002)(8676002)(33656002)(316002)(2906002)(52536014)(19627405001)(26005)(186003)(71200400001)(9686003); DIR:OUT; SFP:1102 x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?rTpvdFKILJ3Nh7GkWMqDw8A5BHCykata+ArhXHMDRTEI0MBzVaA6gkDbCO?= =?iso-8859-1?Q?5C01eMPOW1vrXnr4JbD283trfbF3xgbPJitCwRcumLx74emmo7jTIIEbXZ?= =?iso-8859-1?Q?2VxWxnzzZgdNib/SoG6SbbJb2u6GNl8LPwzmCsOC/jQULFYIAjXngh2I2k?= =?iso-8859-1?Q?tE31tnbR3vIWkNiujfJxr9lgZxfEz9BiilN7kPy+6Hu5a01jg7PwetLASX?= =?iso-8859-1?Q?zEgqpk6PGfaMzmzF670bU1lSbUf6AXhxz/yp+MQ062dlDrGnWQiMctMQ4p?= =?iso-8859-1?Q?3wkoikHbXct/qhKF/cXWK+gCOJ4fr/xMyax8Yuj5kwoA4c7/fcllfEZmD/?= =?iso-8859-1?Q?Lq2HB0nj58daOvd8z9wNi42M9lMPIEXO6Ofl4RAdUc+m7VVmKai0EtWrka?= =?iso-8859-1?Q?nc3R/9YJp70ZkVR45eYwc+9fxrlD1c7Atmja7Sk2Zt8ELHqK1E3v9hynvh?= =?iso-8859-1?Q?aQM9EijwLbgp5QImqGsJ4U6hyWFV3+Sowr9eb+R4Ve4YqmO/1/dALb5Nwn?= =?iso-8859-1?Q?Xzw7HNS1Alz/CT8xyU2yGq8zJmCE/bTnMfNmq+W/8wVODXOoWFeHGv/QYZ?= =?iso-8859-1?Q?FfkW50ePnsGdEPmg3Hgr1ZZSOXm4KTnRyaSkPorayfk5NV4zJyTppn52v+?= =?iso-8859-1?Q?keTnnWQVf0limddzXQgvq713HXw/HIOuer45fSq/wFejBbZ9fJpR5Sp20m?= =?iso-8859-1?Q?6eE/qLceXsdOfPR+8fGDm3RI0VGb5uPXGQBfLNg3vctUfWtQhqsMoNpbdo?= =?iso-8859-1?Q?5LSPj5rpah3fjP2D64vW6k4MoMiBvGAH2hDt5YJiFgqgHKBNcbAXlwtVsZ?= =?iso-8859-1?Q?kq7sV53ef3liMaQIb1s+LHF5uP+2hA3gZWLnId+YizkbTQ8bJeq7pZ73Hn?= =?iso-8859-1?Q?QZFctXMRUwr92jvkGRvOl0MheQNtVUBtdCQySlv3vskoUQNh1vb4XkOpeb?= =?iso-8859-1?Q?bmJpfESRDpIjHDGIVgEM4fPCJ1bMNUD2sSgprty31Fx7x52iBlrBvJOcNB?= =?iso-8859-1?Q?/u5xkWWR6C2MYy6ta73vpmsJrwQmkEYYjUtI6PPa4aJS5/D4ElZsv4IJND?= =?iso-8859-1?Q?7l9vQk2dUbGqM7qVfhD9m4in3AuAEaHnMdKNYIUW/pjC0k00YP4EWE7Wn8?= =?iso-8859-1?Q?1dd7cvKc0lgzcjMlSpHLqj9GqnM12Jz6h8LBr78rdfZNRMKk3H75r0RgWC?= =?iso-8859-1?Q?7Nb4PRpIZ1Ac4ONFekSz9PATwH0z5FhCTTyCCv3Nq1ZUW/shrKRYxWr0Jw?= =?iso-8859-1?Q?62TmaN/XWAX/vxqusWiUrtZHVGlLKK7DvA88Qh2Jzd1M5ZaFohRN9aG7vS?= =?iso-8859-1?Q?GVW0r93m0LN2Wfsrwib9apS4UGDG9U+V5wgDYT4dvbtrJRA=3D?= x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: circontrol.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: AM6PR05MB5928.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: bf4a9646-e02b-4c99-6a67-08d8df247a3a X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Mar 2021 15:45:03.2712 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: c673de90-55df-4102-975b-51c12c395a99 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: sdq2nueRvkDLgon8WzgZIE7e7x8dJbbXXNs67wNYEOHDsiFI/1BauhWgsoTgjGAQglEBZwgrOM8wh0mg8qIpvg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR05MB6088 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-loop: linux-audit@redhat.com X-Mailman-Approved-At: Thu, 04 Mar 2021 10:59:56 -0500 X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: es-ES Content-Type: multipart/mixed; boundary="===============0453513639744112681==" --===============0453513639744112681== Content-Language: es-ES Content-Type: multipart/alternative; boundary="_000_AM6PR05MB59286D712733FF9CFA4BAED8A3979AM6PR05MB5928eurp_" --_000_AM6PR05MB59286D712733FF9CFA4BAED8A3979AM6PR05MB5928eurp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello all. Just testing different versions of audit, discovered that version 2.8.5 and= 3.0.1 are changing permissions of /tmp from 1777 to 700. This is a problem= as normal non-root users can't write in /tmp after starting autitd. The problem is related with the daemon, as commenting this call: start-stop-daemon -S -q -p ${PIDFILE} --exec ${DAEMON} fixes the issue. It works fine on version 2.8.2. We fixed temporaly setting proper /tmp permissions after starting the daemo= n: # Run audit daemon executable start-stop-daemon -S -q -p ${PIDFILE} --exec ${DAEMON} if [ $? =3D 0 ]; then # Load the default rules test -f /etc/audit/rules.d/audit.rules && /usr/sbin/auditctl -R /etc/audit/= rules.d/audit.rules >/dev/null # Bugfix audit 2.8.5 (reported and waiting for a patch!) chmod 1777 /tmp echo "OK" else echo "FAIL" fi Could you provide a temporal patch for the daemon? Thanks! --_000_AM6PR05MB59286D712733FF9CFA4BAED8A3979AM6PR05MB5928eurp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hello all.

Just testing different versions of audit, discovered that version 2.8.5 and= 3.0.1 are changing permissions of /tmp from 1777 to 700. This is a problem= as normal non-root users can't write in /tmp after starting autitd.

The problem is related with the daemon, as commenting this call:

start-stop-daemon -S -q -p ${PIDFILE} --exec ${DAEMON}

fixes the issue.

It works fine on version 2.8.2.

We fixed temporaly setting proper /tmp permissions after starting the daemo= n:

# Run audit daemon executable
start-stop-daemon -S -q -p ${PIDFILE} --exec ${DAEMON}

if [ $? =3D 0 ]; then
# Load the default rules
test -f /etc/audit/rules.d/audit.rules && /usr/sbin/auditctl -= R /etc/audit/rules.d/audit.rules >/dev/null
# Bugfix audit 2.8.5 (reported and waiting for a patch!)
chmod 1777 /tmp
echo "OK"
else
echo "FAIL"
fi

Could you provide a temporal patch for the daemon?

Thanks!



--_000_AM6PR05MB59286D712733FF9CFA4BAED8A3979AM6PR05MB5928eurp_-- --===============0453513639744112681== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit --===============0453513639744112681==--