site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com Thanks, Todd Example of running the non-SUID program /tmp/my_plain: header,130,1,execve(2),0,Wed Oct 22 16:32:18 2008, + 104 msec path,/private/tmp/my_plain attribute,20173200000,heberlei,wheel,234881032,31428062411227136,0 text, subject,heberlei,heberlei,heberlei,heberlei,heberlei,1836,0,0,0.0.0.0 text, return,success,0 Example of running the SUID root program /tmp/my_suid header,118,1,execve(2),0,Wed Oct 22 16:32:24 2008, + 816 msec path,/dev/null attribute,4155400000,root,wheel,121749316,522878819082698752,50331650 text, subject,heberlei,heberlei,heberlei,heberlei,heberlei,1837,0,0,0.0.0.0 text, return,success,0 _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... I think I asked something similar to this for Tiger, but I think some things have changed with Leopard... When running a SUID root program, the Leopard BSM audit trail doesn't record the program's name. Instead it shows only the path /dev/null being executed. Is there a reason for this? It seems that for security reasons, you would *want* to know the name of a program running with root privilege. Below are the execve() audit records for running the exact same program. The only difference is that the second program is SUID root. Any thoughts would be appreciated. This email sent to site_archiver@lists.apple.com