vfs_audit log does not show full path names

Jeremy Allison jra at samba.org
Mon Jul 30 16:43:35 UTC 2018

On Mon, Jul 30, 2018 at 08:55:37AM -0700, Carl Byington via samba-technical wrote:
> Hash: SHA512
> samba 4.7.1 on centos 7
> vfs_audit log used to show the full path name. I am not sure when that
> changed, but now open only logs the last component (like basename).
> Rename still logs both old and new full pathnames. Is there some config
> entry that needs to be set to get the full pathnames logged?
> [global]
>     full_audit:priority = notice
>     full_audit:facility = local1
>     full_audit:success = open rename
>     full_audit:failure = connect
>     full_audit:prefix = %u|%I|%S
> [sname]
>     path = /home/usr
>     vfs objects = full_audit
> Actual results:
> ryan|$IP|sname|rename|ok|a/b/c.tmp|a/b/c.xlsx
> ryan|$IP|sname|open|ok|r|c.xlsx
> Expected results:
> ryan|$IP|sname|rename|ok|a/b/c.tmp|a/b/c.xlsx
> ryan|$IP|sname|open|ok|r|a/b/c.xlsx
> With the current code, we don't know which one of the possibly many
> c.xlsx files were read.
> Looking at vfs_full_audit.c, smb_full_audit_open() and
> smb_full_audit_rename() are very similar, using smb_fname_str_do_log()
> to format the file name string for logging. Apparently the difference is
> at a higher level. Can we assume that the filename should be prefixed
> with the current directory, or might the current directory have been
> changed by the time the audit log is called?

Yes, this is the change to avoid race conditions in
open. The audit code should be changed to print a
full pathname including current directory. Can you
log me a bug to track it and I'll create a patch
for you ?



More information about the samba-technical mailing list