Damn! It has been waaay too long since I blogged.

I just noticed that my theme, which is using tables heavily, doesn't look very good in Roller 1.2

I think it is time to take a look at all the things in my theme I postponed when I worked on it last time, and poke Dave to fix the bug I filed in January. If you feel like giving me a hand, vote on the bug for me

A few months ago I met a Brazilian girl online who used to live in Sweden, and speaks fluent Swedish. One thing led to another, so in the beginning of May I went down to Rio de Janeiro for a two week vacation and a date. I liked her (and Rio) so much I will be going back and work out of Sun's Rio office for the next three months, to see how things evolve

It'll actually be easier to work out of the Rio office, as it is 5 hours closer to California than Sweden, so I will have a lot less late-night conference calls.

I haven't been blogging a lot lately, as I'm busy studying Portuguese on my spare time. Hopefully I'll be able to take another dive into the depths of Solaris auditing once I've installed myself in Rio.

Rio de Janeiro from the bay, a stunning view

In case someone is interested in viewing the pictures I took in Rio, check out my Flickr page.

[Technorati Tags: Rio de Janeiro]

Since I'm one of the few who is anal-retentive enough to be interested in auditing, and also blog about it, I get a number of questions about it. A couple of weeks ago I got a question from Colin Bouttell why setting the default acl(2) on /var/audit doesn't seem to work correctly with the audit daemon. If OpenSolaris had been available then, I could quickly have shown why and where it happens, and he could have compiled a temporary fix in a blink of an eye.

Now that OpenSolaris is available, I can blog about this issue the way I would have liked when I got the question. The bug related to this problem is 6256481.

I'll start by quickly mentioning how the default acl works. You can set default acls on a directory, which all files created in that directory will inherit. By default the default acls are not set.

# getfacl /var/audit

# file: /var/audit
# owner: root
# group: sys
user::rwx
group::r-x              #effective:r-x
mask:r-x
other:r-x

If you use setfacl(1) and set the default acl for /var/audit like this

# setfacl -m setfacl -m d:m:r--,d:u::rw-,d:g::---,d:o:---,d:u:audit:r-- /var/audit

You can verify the setting using getfacl(1)

# getfacl /var/audit

# file: /var/audit
# owner: root
# group: sys
user::rwx
group::r-x              #effective:r-x
mask:r-x
other:r-x
default:user::rw-
default:user:audit:r--
default:group::---
default:mask:r--
default:other:---

Note that you have to supply all four default acls (user, group, other and mask) when you set them.

All new files created in the directory will be readable by the audit user.

# touch /var/audit/test
# getfacl /var/audit/test

# file: /var/audit/test
# owner: root
# group: root
user::rw-
user:audit:r--          #effective:r--
group::---              #effective:---
mask:r--
other:---

Now one would think that all audit files created by auditd will be be readable by the audit user too, but if you use "audit -n" to switch the audit log, you will see that the default acls aren't set as you might expect.

# getfacl /var/audit/20050530010500.not_terminated.vaccine

# file: /var/audit/20050530010500.not_terminated.vaccine
# owner: root
# group: root
user::rw-
user:audit:r--          #effective:---
group::---              #effective:---
mask:---
other:---

This was the question I got from Colin, and after a quick test to verify the problem, I decided to take a look at the source to see why this is happening. Before Solaris 10 the code to create a new audit file resided in usr/src/cmd/auditd/auditd.c, but now auditd has plugins which deal with the distribution of audit records. It is the audit_binfile.so plugin (usr/src/lib/auditd_plugins/binfile/binfile.c) which deals with writing the audit log to local disk

In the function open_log on line 544 in binfile.c the new file is created:

 537    	/* Get a filename which does not already exist */
 538    	opened = 0;
 539    	while (!opened) {
 540    		getauditdate(auditdate);
 541    		(void) snprintf(newname, AUDIT_FNAME_SZ,
 542    		    "%s/%s.not_terminated.%s",
 543    		    current_dir->dl_dirname, auditdate, host);
 544    		newfd = open(newname,
 545    		    O_RDWR | O_APPEND | O_CREAT | O_EXCL, 0600);
 546    		if (newfd < 0) {
 547    			switch (errno) {
 548    			case EEXIST:
 549    				DPRINT((dbfp,
 550    				    "open_log says duplicate for %s "
 551    				    "(will try another)\n", newname));
 552    				(void) sleep(1);
 553    				break;
 554    			default:
 555    				/* open failed */
 556    				DPRINT((dbfp,
 557    				    "open_log says full for %s: %s\n",
 558    				    newname, strerror(errno)));
 559    				current_dir->dl_space = SPACE_FULL;
 560    				current_dir = current_dir->dl_next;
 561    				return (0);
 562    			} /* switch */
 563    		} else
 564    			opened = 1;
 565    	} /* while */

and it is the 0600 on line 545 which causes the problem, as the group mode acts as an upper bound for the default acl mask, and in this case limits it to ---.

Changing the mode from 0600 to 0640 will fix the problem, as the default mask ANDed together with the group mode will be r-- which allows the newly created audit logs to be read by the audit user.

[Technorati Tags: OpenSolaris Solaris Security]