WhiteBeam icon indicating copy to clipboard operation
WhiteBeam copied to clipboard

Published 20 hours ago verified publisher icon WhiteBeamSec

Linux LD_PRELOAD/LD_AUDIT library: Permission denied with path in Detection mode

Open noproto opened this issue 3 years ago • 1 comments

Files that do not exist are improperly returning "Permission denied" instead of "No such file or directory".

Erroneous output:

root@host:~# /example
WhiteBeam: /example: Permission denied
root@host:~# ./example
WhiteBeam: ./example: Permission denied

In syslog:

| Detection: /usr/bin/bash executed ./example (VerifyCanExecute)                                                                       | 1     |
| Detection: /usr/bin/bash executed /example (VerifyCanExecute)                                                                        | 1     |

Expected output:

root@host:~# /example
-bash: /example: No such file or directory
root@host:~# ./example
-bash: ./example: No such file or directory

(No syslog lines)

This is an issue in one of the Actions used by the Execution hooks provided by the Essential whitelist.

noproto avatar Oct 14 '21 02:10 noproto

Causes service --status-all to return WhiteBeam: /usr/local/sbin/grep: Permission denied on each line. Also: zcat with gzip's path.

noproto avatar Oct 14 '21 02:10 noproto