Commits on Aug 1, 2024

1. Don't fail setting log file ACLs with broken NSS backends …

   Previously we would set POSIX ACL entries on log files by performing
   an early UID lookup and passing a stringified version of the UID to
   `exacl::AclEntry::allow_user`.
   
   The exacl documentation states that names and decimal strings are
   accepted. Apparently, exacl would try to look up the decimal string
   using `getpwnam()` before considering that it should be parsed into a
   numeric value. Unfortunately, this could cause a fatal error and
   terminate the Laurel process:
   
       fatal error 'Error writing to filter log: Custom { kind: Other, error: Custom { kind: Other, error: "Invalid ACL: entry 3: Connection refused (os errno 111)" } }' at src/bin/laurel/main.rs:300,38
   
   We still do an early uid lookup but pass the original string to exacl
   instead of the decimal string.
   
   Steps to reproduce: System is configured with sssd for AD integration;
   /etc/nsswitch.conf contains the following lines:
   
       passwd:         files systemd sss
       group:          files systemd sss
       shadow:         files sss
       gshadow:        files
   
   If the machine es rebooted and sssd happens to come up after auditd,
   laurel fails to start and the error message above (or a similar one)
   is written to the auditd service's journal
   
   This can also be reproduced without rebooting by stopping sssd and
   restarting auditd (so laurel is restarted).

   

   hillu committed Aug 1, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 3c174a2
   • Browse repository at this point

   Copy the full SHA

   3c174a2 View commit details

   Browse the repository at this point in the history