vfs_audit log does not show full path names

[Jeremy Allison]

On Mon, Jul 30, 2018 at 08:55:37AM -0700, Carl Byington via samba-technical wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> samba 4.7.1 on centos 7
> 
> vfs_audit log used to show the full path name. I am not sure when that
> changed, but now open only logs the last component (like basename).
> Rename still logs both old and new full pathnames. Is there some config
> entry that needs to be set to get the full pathnames logged?
> 
> 
> [global]
>     full_audit:priority = notice
>     full_audit:facility = local1
>     full_audit:success = open rename
>     full_audit:failure = connect
>     full_audit:prefix = %u|%I|%S
> 
> [sname]
>     path = /home/usr
>     vfs objects = full_audit
> 
> 
> Actual results:
> ryan|$IP|sname|rename|ok|a/b/c.tmp|a/b/c.xlsx
> ryan|$IP|sname|open|ok|r|c.xlsx
> 
> Expected results:
> ryan|$IP|sname|rename|ok|a/b/c.tmp|a/b/c.xlsx
> ryan|$IP|sname|open|ok|r|a/b/c.xlsx
> 
> 
> With the current code, we don't know which one of the possibly many
> c.xlsx files were read.
> 
> Looking at vfs_full_audit.c, smb_full_audit_open() and
> smb_full_audit_rename() are very similar, using smb_fname_str_do_log()
> to format the file name string for logging. Apparently the difference is
> at a higher level. Can we assume that the filename should be prefixed
> with the current directory, or might the current directory have been
> changed by the time the audit log is called?

Yes, this is the change to avoid race conditions in
open. The audit code should be changed to print a
full pathname including current directory. Can you
log me a bug to track it and I'll create a patch
for you ?

Thanks,

	Jeremy.