freebsd-src icon indicating copy to clipboard operation
freebsd-src copied to clipboard
verified publisher icon freebsd

Add logger for usr.bin/mdo/mdo.c: a logger like sudo.

Open Rin0913 opened this issue 1 year ago • 3 comments

We should add a logger for some MAC module. However, the logger for mac_do needs further discussions, and the tool use MAC framework should also be logging itself.

The output log format is like following:

Nov  4 03:46:54 bsd-workstation mdo[26618]: USER: rin; failed to call initgroups: 1
Nov  4 03:47:12 bsd-workstation mdo[26622]: USER: root; COMMAND=/bin/sh

Rin0913 avatar Nov 03 '24 19:11 Rin0913

I think this (adding logging support) is the right direction but logging in the utility is probably not a very good choice because when mdo is loaded and enabled, an approved users can simply call setuid() and/or setgid() in their applications to the allowed user / groups themselves, which will not trigger any logging...

Scratch that, I have misread the code. The module does require caller to be the hardcoded /usr/bin/mdo.

delphij avatar Nov 14 '24 23:11 delphij

In general I like the idea, I don't have a strong feeling about it, but still if we could use open_memstream(3) it would be nicer

bapt avatar Dec 18 '24 16:12 bapt

@OlCe2

Hi, could you please help me review this PR? Thank you very much!

Rin0913 avatar Apr 20 '25 10:04 Rin0913

@OlCe2 Any final comments? This seems reasonable to me. I'm on the fence whether @bapt 's comments would help or not... it seems like maybe only a marginal improvement unless I'm badly misreading.

bsdimp avatar Aug 04 '25 19:08 bsdimp

Given the lack of answers, and the fact that since then the code of mdo(1) has considerably changed, closing this.

Feel free to re-open, rebase changes and cater to comments when you have the time.

OlCe2 avatar Nov 21 '25 10:11 OlCe2