Bug 259676

Summary: auditd goes compute bound and locks up when sent SIGUSR1
Product: [openSUSE] openSUSE 10.2 Reporter: Crispin Cowan <crispin>
Component: SecurityAssignee: Tony Jones <tonyj>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: ast, security-team
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Crispin Cowan 2007-03-31 09:52:29 UTC 
The man page for auditd says that if you send it SIGUSR1, it will immediately
rotate the audit logs. This is very useful functionality, and I used it in the
AppArmor demo re-initialization script. It works properly on GA editions of
SLES10 and SLED10.

However, on openSUSE 10.2 sending SIGUSR1 to auditd causes it to become compute
bound, and cease generating audit records.

This is easily reproducable: just send SIGUSR1 to the auditd process, and it
immediately locks up.

Recovery is easy: run "/etc/init.d/auditd restart". The restart takes a little
longer than usual, but does succeed.

Not really a security vulnerability, because it seems you need to be root to
send SIGUSR1 and have it do anything. Sending from non-root had no noticeable
effects.

This bug was badly reported in 249638, where I had this problem confounded with
problems in ZMD in hard-to-reproduce ways. At least now the auditd bug is clean
and easy to reproduce.

NOTE: I have not checked SP1 to see if it is infected with this bug. Someone
with access to an SP1 beta should do that very soon.
Comment 1 Thomas Biege 2007-04-02 10:56:01 UTC 
Not a security bug because it is only triggerable by root (or can it be triggered automatically by another process?). Reassigning to maintainer.
Comment 2 Crispin Cowan 2007-04-02 11:13:27 UTC 
Yes, in my testing, only root can trigger the bug. Whether that makes it "not a security bug" or not is a matter of opinion; auditing freaks would claim that even root should be audited, and this makes it trivial to suspend auditing. Realists would observe that root can mess with auditing without this bug.
Comment 3 Tony Jones 2007-04-07 00:15:50 UTC 
Reproduced in audit 1.2.6 (10.2).  Fails to reproduce in audit 1.2.9 (stable and SP1).   Thanks for the bug Crispin.  Not sure it warrants a security fix as it's only root exploitable.  If you disagree followup else I'll likely close this as fixed in next release.
Comment 4 Crispin Cowan 2007-04-07 03:13:57 UTC 
I agree that it is not a security bug, so apply whatever the policy is for functionality bug fixes.

Is it our policy to not fix functionality bugs in openSUSE?
Comment 5 Marcus Meissner 2007-04-12 12:42:56 UTC 
The project manager is asked.

AJ? or was it AnJa?
Comment 6 Marcus Meissner 2007-04-12 12:44:31 UTC 
actuaklyl anja.

I would say: go for it if the fix is small.
Comment 7 Anja Stock 2007-04-12 13:50:17 UTC 
your wish is my command. SWAMPID is 9408
Comment 8 Tony Jones 2007-04-27 14:49:45 UTC 
Checked into abuild for 10.2 update.
Comment 9 Anja Stock 2007-05-02 09:51:14 UTC 
released