vfs_audit log used to show the full path name. I am not sure when that changed, but now open only logs the last component (like basename). Rename still logs both old and new full pathnames. Is there some config entry that needs to be set to get the full pathnames logged? [global] full_audit:priority = notice full_audit:facility = local1 full_audit:success = open rename full_audit:failure = connect full_audit:prefix = %u|%I|%S [sname] path = /home/usr vfs objects = full_audit Actual results: ryan|$IP|sname|rename|ok|a/b/c.tmp|a/b/c.xlsx ryan|$IP|sname|open|ok|r|c.xlsx Expected results: ryan|$IP|sname|rename|ok|a/b/c.tmp|a/b/c.xlsx ryan|$IP|sname|open|ok|r|a/b/c.xlsx With the current code, we don't know which one of the possibly many c.xlsx files were read. Looking at vfs_full_audit.c, smb_full_audit_open() and smb_full_audit_rename() are very similar, using smb_fname_str_do_log() to format the file name string for logging. Apparently the difference is at a higher level. Can we assume that the filename should be prefixed with the current directory, or might the current directory have been changed by the time the audit log is called?
Jeremy, could you please look into this issue?
(In reply to Andreas Schneider from comment #1) > Jeremy, could you please look into this issue? After you reviewed my gluster dirpath patch on the list please :-).
Created attachment 14449 [details] git-am fix for 4.9.next, 4.8.next, 4.7.next Cherry-picked from master.
Karolin, could you please apply the patch the the relevant branches? Thanks!
(In reply to Andreas Schneider from comment #4) Pushed to autobuild-v4-{9,8,7}-test.
(In reply to Karolin Seeger from comment #5) This fails autobuild consistently for the samba-systemkrb5 target: [781(4)/2304 at 10s] samba3.rpc.lsa.lookupsids krb5 with old ccache ncacn_np with [smb2] (ktest) smbtorture 4.8.6-DEVELOPERBUILD Using seed 1536146480 WARNING!: Failed to connect to remote server: ncacn_np:LOCALKTEST6[,smb2] NT_STATUS_CONNECTION_DISCONNECTED UNEXPECTED(failure): samba3.rpc.lsa.lookupsids krb5 with old ccache ncacn_np with [smb2] .lsa.LookupSidsReply(ktest) REASON: Exception: Exception: Setup failed: ../source4/torture/rpc/rpc.c:310: status was NT_STATUS_CONNECTION_DISCONNECTED, expected NT_STATUS_OK: Error connecting to server FAILED (1 failures, 0 errors and 0 unexpected successes in 0 testsuites)
Metze, did you post this comment on the right bug ? This (samba-systemkrb5) doesn't seem related to the vfs_audit_log code ? Jeremy.
(In reply to Jeremy Allison from comment #7) At least I can confirm that autobuild-v4-8-test and autobuild-v4-7-test failed ~10 times with these patches and does not without them.
(In reply to Jeremy Allison from comment #7) I guess that this environment just compiles as the first task and it fails. I guess it would also fail in any other environment.
Any progress on this? It looks like the patch never made it into 4.8
I've verified that the patches are included in current Samba releases >=4.9.0. The fix will not go into 4.8 anymore, because 4.8 is in security fixes only mode and will be discontinued very soon. I close the bug as resolved, now. Best regards, Björn
I re-open this bug because the issue is not fixed completely. Not all calls use the smb_fname_str_do_log() function. For example "realpath" and "opendir" does still not log the full path name. Björn
Created attachment 15475 [details] patch for v4-10 and v4-11 cherry-picked from master (with some adjustments) I've attached the picked patch from master. Without this patch the different vfs calls log a mix of full path names, paths relative to the share root or just the affected file name. With the patch the full path names should be used always.
Karolin, could you please apply the patch to 4.10 and 4.11? Thanks!
(In reply to Andreas Schneider from comment #14) Pushed to autobuild-v4-{11,10}-test.
Comment on attachment 15475 [details] patch for v4-10 and v4-11 cherry-picked from master (with some adjustments) It seems that the backports are missing a patch that's only in master: It fails like this: ../../source3/modules/vfs_full_audit.c: In function ‘smb_full_audit_setxattr’: ../../source3/modules/vfs_full_audit.c:2794:30: error: passing argument 1 of ‘smb_fname_str_do_log’ from incompatible pointer type [-Werror=incompatible-pointer-types] smb_fname_str_do_log(handle->conn, smb_fname), ^~~~~~ ../../source3/modules/vfs_full_audit.c:663:20: note: expected ‘const struct smb_filename *’ but argument is of type ‘struct connection_struct *’ static const char *smb_fname_str_do_log(const struct smb_filename *cwd, ^~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors I found this in samba-static.stderr
Removed for now from 4.10 and 4.11, re-assigning to Björn.
Fixed in all stable releases.