On Thu, 2022-01-06 at 18:02 +0000, Zbigniew Jędrzejewski-Szmek wrote: > On Thu, Jan 06, 2022 at 08:48:52AM -0800, Adam Williamson wrote: > > On Thu, 2022-01-06 at 16:16 +0000, Zbigniew Jędrzejewski-Szmek wrote: > > > > > > I know that you said that the scripts are needed because of "magic stuff™" > > > that the scripts do, but sorry, that's not a justification: *everything* that > > > can be done using a shell script can also be reimplemented independently. > > > Right now audit pulls in the whole initscripts stack, this should all be replaced > > > by some small helper. (Maybe a separate binary, or a small shell script, or > > > maybe something in auditctl…. I don't know because I don't know audit.) > > > > As I understand the bug, it's not a question of whether the thing can > > be done, but whether it can be known *who did it*. > > There is no magic functionality in the kernel that specifically records that > something was executed by some specific script. If that scripts sends a signal > somewhere, you can send the same signal with the same sender info and the same privileges > using bash/python/C/Rust or even assembly. So the "who did it" information > can be provided in a different way without pulling in the initscripts stack, > or it is bogus, or maybe even both. In this case the "who" is the user, not the script. The problem of going through systemctl is that the "who" is lost because all the audit system can see is that systemd started the action. Basically the communication between systemctl and systemd masks the identity of the user that initiated the action. I believe a solution needs to be found between systemd and the audit subsystem in general so that we remove this whole class of issues altogether. Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
