[Bug 259676] New: auditd goes compute bound and locks up when sent SIGUSR1
https://bugzilla.novell.com/show_bug.cgi?id=259676 Summary: auditd goes compute bound and locks up when sent SIGUSR1 Product: openSUSE 10.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: crispin@novell.com QAContact: qa@suse.de The man page for auditd says that if you send it SIGUSR1, it will immediately rotate the audit logs. This is very useful functionality, and I used it in the AppArmor demo re-initialization script. It works properly on GA editions of SLES10 and SLED10. However, on openSUSE 10.2 sending SIGUSR1 to auditd causes it to become compute bound, and cease generating audit records. This is easily reproducable: just send SIGUSR1 to the auditd process, and it immediately locks up. Recovery is easy: run "/etc/init.d/auditd restart". The restart takes a little longer than usual, but does succeed. Not really a security vulnerability, because it seems you need to be root to send SIGUSR1 and have it do anything. Sending from non-root had no noticeable effects. This bug was badly reported in 249638, where I had this problem confounded with problems in ZMD in hard-to-reproduce ways. At least now the auditd bug is clean and easy to reproduce. NOTE: I have not checked SP1 to see if it is infected with this bug. Someone with access to an SP1 beta should do that very soon. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259676 thomas@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de AssignedTo|security-team@suse.de |tonyj@novell.com ------- Comment #1 from thomas@novell.com 2007-04-02 04:56 MST ------- Not a security bug because it is only triggerable by root (or can it be triggered automatically by another process?). Reassigning to maintainer. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259676 ------- Comment #2 from crispin@novell.com 2007-04-02 05:13 MST ------- Yes, in my testing, only root can trigger the bug. Whether that makes it "not a security bug" or not is a matter of opinion; auditing freaks would claim that even root should be audited, and this makes it trivial to suspend auditing. Realists would observe that root can mess with auditing without this bug. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259676 tonyj@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Comment #3 from tonyj@novell.com 2007-04-06 18:15 MST ------- Reproduced in audit 1.2.6 (10.2). Fails to reproduce in audit 1.2.9 (stable and SP1). Thanks for the bug Crispin. Not sure it warrants a security fix as it's only root exploitable. If you disagree followup else I'll likely close this as fixed in next release. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259676 ------- Comment #4 from crispin@novell.com 2007-04-06 21:13 MST ------- I agree that it is not a security bug, so apply whatever the policy is for functionality bug fixes. Is it our policy to not fix functionality bugs in openSUSE? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259676 meissner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ast@novell.com Status|ASSIGNED |NEEDINFO Info Provider| |aj@novell.com ------- Comment #5 from meissner@novell.com 2007-04-12 06:42 MST ------- The project manager is asked. AJ? or was it AnJa? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259676 meissner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Info Provider|aj@novell.com |ast@novell.com ------- Comment #6 from meissner@novell.com 2007-04-12 06:44 MST ------- actuaklyl anja. I would say: go for it if the fix is small. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259676 ast@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|ast@novell.com | ------- Comment #7 from ast@novell.com 2007-04-12 07:50 MST ------- your wish is my command. SWAMPID is 9408 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259676 ------- Comment #8 from tonyj@novell.com 2007-04-27 08:49 MST ------- Checked into abuild for 10.2 update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259676 ast@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Comment #9 from ast@novell.com 2007-05-02 03:51 MST ------- released -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com