auditctl uses wrong syscall to determine uid
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
audit (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
The short story is we have a setuid helper that tries to execute auditctl.
Example:
antarus@goats2 /tmp $ cat foo.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(int argc, char ** argv) {
printf("%d\n", getuid());
printf("%d\n", geteuid());
execl(
}
antarus@goats2 /tmp $ sudo gcc foo.c -o foo
antarus@goats2 /tmp $ sudo chown root:root foo
antarus@goats2 /tmp $ sudo chmod +x foo
antarus@goats2 /tmp $ sudo chmod u+s foo
antarus@goats2 /tmp $ ./foo
505 <- my uid
0 <- root euid
You must be root to run this program. <- failed code.
LSB Version: core-2.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.2 LTS
Release: 10.04
Codename: lucid
antarus@goats2 /tmp $ apt-cache policy auditd
auditd:
Installed: 1.7.13-1ubuntu2
Candidate: 1.7.13-1ubuntu2
This bug is also present on precise:
antarus@
auditd:
Installed: 1.7.18-1ubuntu1
Candidate: 1.7.18-1ubuntu1
Even auditd trunk is affected:
https:/
With my patch:
antarus@goats2 /tmp $ ./foo etc/default/ auditd perm=wa key=etc_ default_ auditd etc/init. d/auditd perm=wa key=etc_ init.d_ auditd etc/libaudit. conf perm=wa key=etc_ libaudit. conf etc/ssh/ ssh_config perm=wa key=ssh etc/ssh/ sshd_config perm=wa key=ssh etc/ssh/ ssh_host_ dsa_key perm=wa key=ssh etc/ssh/ ssh_host_ rsa_key perm=wa key=ssh etc/ssh/ ssh_host_ key perm=wa key=ssh chmod,fchmod
45531
0
LIST_RULES: exit,always dir=/etc/audit (0xa) perm=wa key=etc_audit
LIST_RULES: exit,always watch=/
LIST_RULES: exit,always watch=/
LIST_RULES: exit,always watch=/
LIST_RULES: exit,always dir=/etc/audisp (0xb) perm=wa key=etc_audisp
LIST_RULES: exit,always watch=/
LIST_RULES: exit,always watch=/
LIST_RULES: exit,always watch=/
LIST_RULES: exit,always watch=/
LIST_RULES: exit,always watch=/
LIST_RULES: exit,always watch=/etc/shadow perm=wa key=password
LIST_RULES: exit,always watch=/dev/mem perm=wa key=kernel
LIST_RULES: exit,always arch=3221225534 (0xc000003e) filetype=32768 (0x8000) a1&3072 (0xc00) key=chmod syscall=
LIST_RULES: exit,always arch=3221225534 (0xc000003e) filetype=32768 (0x8000) a2&3072 (0xc00) key=chmod syscall=fchmodat