loggingpermissionsshared-librariesunix-socketpam

Exclusive unix-socket write permissions for shared libraries


I have a logging application and shared library, that write to this application via unix socket.

I want to implement exclusive access of writing to logging application only for the dynamic library.

I could restrict access of writing to the socket only for specific users/groups, but applications, that use my dynamic library, could be stated without any specific permissions.

If you want more specifics: my dynamic library is pam module. Application, that has no extra permissions -- is mate-screensaver. Mate-screensaver is started by locked user without euid, egid set.

I figured out, that I could add challenge request to my logger application, and dynamic library should pass it. Logger application will be send a nonce to client, and client should write correct HMAC on it.

But I think this solution is a nasty workaround. Algorithm of secret generation is emplaced into binary and potentially could be discovered

Are there some general approaches of resolving this problems?

UPD:

I checked standard syslog. I can write to /var/log/secure by unprivileged users:

#include <syslog.h>

int main() {
    openlog("sudo", 0, LOG_AUTHPRIV);
    syslog(LOG_ERR, "pam_unix(sudo:auth) authentication failure; logname=...");
}

So, after that I starting to think that problem, that I try to resolve is made-up problem


Solution

  • Im tring to restrict that someone write fake info about logging in by another user

    Suppose you managed to restrict writing to a socket by your library.so (no such mechanism exists, but suppose it did).

    Somewhere in your library you must have a write(sock, "whatever data ...", ) call that actually logs the data.

    If I can run a program using your library under debugger, then I can stop that program just before that write call, change the data it was about to write to whatever I want, and continue the program.

    End result: your "just my library" protection is worthless, and I can write any data I want to the socket.

    I starting to think that problem, that I try to resolve is made-up problem

    Well, even if you problem is not made up, the solution you proposed doesn't achieve desired result.