vfs_audit log does not show full path names
Jeremy Allison
jra at samba.org
Mon Jul 30 16:43:35 UTC 2018
On Mon, Jul 30, 2018 at 08:55:37AM -0700, Carl Byington via samba-technical wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> samba 4.7.1 on centos 7
>
> vfs_audit log used to show the full path name. I am not sure when that
> changed, but now open only logs the last component (like basename).
> Rename still logs both old and new full pathnames. Is there some config
> entry that needs to be set to get the full pathnames logged?
>
>
> [global]
> full_audit:priority = notice
> full_audit:facility = local1
> full_audit:success = open rename
> full_audit:failure = connect
> full_audit:prefix = %u|%I|%S
>
> [sname]
> path = /home/usr
> vfs objects = full_audit
>
>
> Actual results:
> ryan|$IP|sname|rename|ok|a/b/c.tmp|a/b/c.xlsx
> ryan|$IP|sname|open|ok|r|c.xlsx
>
> Expected results:
> ryan|$IP|sname|rename|ok|a/b/c.tmp|a/b/c.xlsx
> ryan|$IP|sname|open|ok|r|a/b/c.xlsx
>
>
> With the current code, we don't know which one of the possibly many
> c.xlsx files were read.
>
> Looking at vfs_full_audit.c, smb_full_audit_open() and
> smb_full_audit_rename() are very similar, using smb_fname_str_do_log()
> to format the file name string for logging. Apparently the difference is
> at a higher level. Can we assume that the filename should be prefixed
> with the current directory, or might the current directory have been
> changed by the time the audit log is called?
Yes, this is the change to avoid race conditions in
open. The audit code should be changed to print a
full pathname including current directory. Can you
log me a bug to track it and I'll create a patch
for you ?
Thanks,
Jeremy.
More information about the samba-technical
mailing list