426934 – /dev/null: permission denied

Bug 426934 - /dev/null: permission denied

Summary: /dev/null: permission denied

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	audit
Sub Component:
Version:	rawhide
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	---
Assignee:	Steve Grubb
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-12-28 16:30 UTC by sangu
Modified:	2008-01-01 15:40 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2008-01-01 15:40:50 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description sangu 2007-12-28 16:30:54 UTC

Description of problem:
normal user login

-bash: /dev/null: permission denied
-bash: /dev/null: permission denied
-bash: /dev/null: permission denied
...
Version-Release number of selected component (if applicable):
1.6.3-1.fc9

How reproducible:
always

Steps to Reproduce:
1. normal user login
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Eric Paris 2007-12-28 23:13:26 UTC

audit(1199402245.461:798): avc:  denied  { setattr } for  pid=26857
comm="auditd" name="null" dev=tmpfs ino=1948 scontext=root:system_r:auditd_t:s0
tcontext=system_u:object_r:null_device_t:s0 tclass=chr_file
audit(1199402245.461:798): arch=c000003e syscall=91 success=no exit=-13 a0=0
a1=100 a2=55555576e440 a3=0 items=0 ppid=26856 pid=26857 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none), sessionid=5
comm="auditd" exe="/sbin/auditd" subj=root:system_r:auditd_t:s0 key=(null)

Comment 2 Eric Paris 2007-12-28 23:18:37 UTC

that audit message appears in /var/log/messages or dmesg since it appears while
i am running service audit restart and the audit daemon is not actually up at
the moment....

Comment 3 Eric Paris 2007-12-28 23:27:37 UTC

oh yeah, note that the perms are not changed if selinux is enforcing since the
above message is an selinux denial....

Comment 4 Eric Paris 2007-12-28 23:36:05 UTC

27175 open("/var/run/auditd.pid", O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW, 0644) = 5
27175 write(5, "27175\n", 6)            = 6
27175 close(5)                          = 0
27175 open("/var/log/audit/audit.log", O_WRONLY|O_APPEND|O_NOFOLLOW) = 5
27175 fcntl(5, F_SETFD, FD_CLOEXEC)     = 0
27175 fchmod(0, 0400)                   = 0
27175 fchown(5, 0, 0)                   = 0
27175 fcntl(5, F_GETFL)                 = 0x28401 (flags
O_WRONLY|O_APPEND|O_LARGEFILE|O_NOFOLLOW)
27175 fstat(5, {st_mode=S_IFREG|0640, st_size=638, ...}) = 0


fchmod(0, 0400)  ???????

Comment 5 Eric Paris 2007-12-28 23:53:48 UTC

in src/auditd-event.c::open_audit_log()

        fchmod(data->log_fd,
                        data->config->log_group ? S_IRUSR|S_IRGRP : S_IRUSR);
        fchown(lfd, 0, data->config->log_group);

        data->log_fd = lfd;

notice the fchmod is using data->log_fd even though it isn't set until a couple
lines later.  Either the data->og_fd needs to be moved up or the fchmod should
use lfd directly....

Comment 6 Miloslav Trmač 2007-12-29 00:49:55 UTC

As a stopgap, audit-1.6.3-2 removes the fchmod() call.  Merely changing the
fchmod() to use lfd is not enough, because the following code in
log_file_parser() triggers when auditd is started for the second time:
        if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) != 
                          (S_IRUSR|S_IWUSR|S_IRGRP)) {
                audit_msg(LOG_ERR, "%s permissions should be 0640", nv->value);
                return 1;
        }

Comment 7 Valdis Kletnieks 2007-12-29 03:43:56 UTC

Re: comment #3 - the perms certainly *do* get whomped if your SELinux happens to
be in permissive mode at the time....

Comment 8 Steve Grubb 2007-12-29 16:22:25 UTC

A permanent fix was put in audit-1.6.4-1. This was a case of using the wrong
variable in a fchmod operation. Thanks for reporting the problem. If the 1.6.4
package doesn't work for you, please reopen this bug report.

Comment 9 Eric Paris 2007-12-30 16:21:57 UTC

sgrubb, please reread comment #6

1.6.4-1 is now changing /var/log/audit/audit.log to 600 (which is a large
improvement over /dev/null) but if you then restart auditd it refuses to start
because it is not 640.

Comment 10 Steve Grubb 2007-12-31 14:31:56 UTC

This should be fixed in audit-1.6.4-3. I forgot to change the config parser to
support both 0600 and 0640 perms.

Comment 11 Eric Paris 2007-12-31 16:33:27 UTC

The config parser fix in comment #10 fixed the problem from comment #6 but this
go wrong if you already have the file set 440 (no real reason to do this, but
this is slow enough of a path to detect and emit a decent error message)

service auditd stop
chmod 440 /var/log/audit/audit.log
service auditd start   (watch it fail)

audit(1199149402.157:189): avc:  denied  { dac_override } for  pid=12625
comm="auditd" capability=1 scontext=unconfined_u:system_r:auditd_t:s0
tcontext=unconfined_u:system_r:auditd_t:s0 tclass=capability
audit(1199149402.157:189): arch=c000003e syscall=2 success=no exit=-13
a0=2aaaaace5010 a1=20401 a2=0 a3=0 items=0 ppid=12624 pid=12625 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="auditd"
exe="/sbin/auditd" subj=unconfined_u:system_r:auditd_t:s0 key=(null)
audit(1199149402.167:190): audit_pid=0 old=0 by auid=0
subj=unconfined_u:system_r:auditd_t:s0
audit(1199149402.189:191): audit_backlog_limit=320 old=320 by auid=0
subj=unconfined_u:system_r:auditctl_t:s0 res=1
audit(1199149402.189:192): audit_backlog_limit=320 old=320 by auid=0 res=1

auditd needed dac_override to write to the read only file but we don't get to
the chmod fixup before it poops out....

Comment 12 Steve Grubb 2008-01-01 15:40:50 UTC

This is fixed in the upstream development code. The original problem this bug
report was opened for seems fixed. If another problem is discovered, please open
a new bug report unless there is a regression on /dev/null. Thanks.

Note You need to log in before you can comment on or make changes to this bug.