execve of /dev/null for SUID programs
execve of /dev/null for SUID programs
- Subject: execve of /dev/null for SUID programs
- From: Todd Heberlein <email@hidden>
- Date: Wed, 22 Oct 2008 16:51:15 -0700
I think I asked something similar to this for Tiger, but I think some
things have changed with Leopard...
When running a SUID root program, the Leopard BSM audit trail doesn't
record the program's name. Instead it shows only the path /dev/null
being executed. Is there a reason for this?
It seems that for security reasons, you would *want* to know the name
of a program running with root privilege.
Below are the execve() audit records for running the exact same
program. The only difference is that the second program is SUID root.
Any thoughts would be appreciated.
Thanks,
Todd
Example of running the non-SUID program /tmp/my_plain:
header,130,1,execve(2),0,Wed Oct 22 16:32:18 2008, + 104 msec
path,/private/tmp/my_plain
attribute,20173200000,heberlei,wheel,234881032,31428062411227136,0
text,
subject,heberlei,heberlei,heberlei,heberlei,heberlei,1836,0,0,0.0.0.0
text,
return,success,0
Example of running the SUID root program /tmp/my_suid
header,118,1,execve(2),0,Wed Oct 22 16:32:24 2008, + 816 msec
path,/dev/null
attribute,4155400000,root,wheel,121749316,522878819082698752,50331650
text,
subject,heberlei,heberlei,heberlei,heberlei,heberlei,1837,0,0,0.0.0.0
text,
return,success,0
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden