Ubuntu Pastebin

Paste from Chipaca at Wed, 6 Dec 2017 14:55:38 +0000

Download as text 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
/var/tmp/test does not exist. Root does
su -l -c "/snap/bin/browser-support-consumer.cmd ls /var/tmp/" test:

type=USER_AUTH msg=audit(1512572014.995:364): pid=12282 uid=0 auid=1000 ses=1 msg='op=PAM:authentication acct="test" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=USER_ACCT msg=audit(1512572014.995:365): pid=12282 uid=0 auid=1000 ses=1 msg='op=PAM:accounting acct="test" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=CRED_ACQ msg=audit(1512572014.999:366): pid=12282 uid=0 auid=1000 ses=1 msg='op=PAM:setcred acct="test" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=USER_START msg=audit(1512572014.999:367): pid=12282 uid=0 auid=1000 ses=1 msg='op=PAM:session_open acct="test" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=AVC msg=audit(1512572015.199:368): apparmor="DENIED" operation="open" profile="snap.browser-support-consumer.cmd" name="/var/tmp/" pid=12301 comm="ls" requested_mask="r" denied_mask="r" fsuid=12345 ouid=0
type=SYSCALL msg=audit(1512572015.199:368): arch=c000003e syscall=2 success=no exit=-13 a0=c27200 a1=90800 a2=0 a3=502 items=0 ppid=12283 pid=12301 auid=1000 uid=12345 gid=12345 euid=12345 suid=12345 fsuid=12345 egid=12345 sgid=12345 fsgid=12345 tty=(none) ses=1 comm="ls" exe="/bin/ls" key=(null)
type=UNKNOWN[1327] msg=audit(1512572015.199:368): proctitle=6C73002F7661722F746D702F
type=USER_END msg=audit(1512572015.203:369): pid=12282 uid=0 auid=1000 ses=1 msg='op=PAM:session_close acct="test" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=CRED_DISP msg=audit(1512572015.203:370): pid=12282 uid=0 auid=1000 ses=1 msg='op=PAM:setcred acct="test" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'




/var/tmp/test *does* exist. Root does
su -l -c "/snap/bin/browser-support-consumer.cmd ls /var/tmp/" test:


type=SERVICE_START msg=audit(1512572030.207:371): pid=442 uid=0 auid=4294967295 ses=4294967295 msg=' comm="snapd.refresh" exe="/lib/systemd/systemd" hostname=? addr=? terminal=pts/5 res=success'
type=SERVICE_STOP msg=audit(1512572030.207:372): pid=442 uid=0 auid=4294967295 ses=4294967295 msg=' comm="snapd.refresh" exe="/lib/systemd/systemd" hostname=? addr=? terminal=pts/5 res=success'
type=USER_AUTH msg=audit(1512572031.895:373): pid=12326 uid=0 auid=1000 ses=1 msg='op=PAM:authentication acct="test" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=USER_ACCT msg=audit(1512572031.895:374): pid=12326 uid=0 auid=1000 ses=1 msg='op=PAM:accounting acct="test" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=CRED_ACQ msg=audit(1512572031.895:375): pid=12326 uid=0 auid=1000 ses=1 msg='op=PAM:setcred acct="test" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=USER_START msg=audit(1512572031.895:376): pid=12326 uid=0 auid=1000 ses=1 msg='op=PAM:session_open acct="test" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=USER_END msg=audit(1512572031.899:377): pid=1093 uid=0 auid=1000 ses=1 msg='op=PAM:session_close acct="ubuntu" exe="/usr/sbin/sshd" hostname=10.0.2.2 addr=10.0.2.2 terminal=ssh res=failed'
type=CRED_DISP msg=audit(1512572031.899:378): pid=1093 uid=0 auid=1000 ses=1 msg='op=PAM:setcred acct="ubuntu" exe="/usr/sbin/sshd" hostname=10.0.2.2 addr=10.0.2.2 terminal=ssh res=success'
type=AVC msg=audit(1512572031.947:379): apparmor="DENIED" operation="open" profile="snap.browser-support-consumer.cmd" name="/var/tmp/" pid=12341 comm="ls" requested_mask="r" denied_mask="r" fsuid=12345 ouid=0
type=SYSCALL msg=audit(1512572031.947:379): arch=c000003e syscall=2 success=no exit=-13 a0=12d4200 a1=90800 a2=0 a3=502 items=0 ppid=12327 pid=12341 auid=1000 uid=12345 gid=12345 euid=12345 suid=12345 fsuid=12345 egid=12345 sgid=12345 fsgid=12345 tty=(none) ses=1 comm="ls" exe="/bin/ls" key=(null)
type=UNKNOWN[1327] msg=audit(1512572031.947:379): proctitle=6C73002F7661722F746D702F
type=USER_END msg=audit(1512572031.947:380): pid=12326 uid=0 auid=1000 ses=1 msg='op=PAM:session_close acct="test" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=CRED_DISP msg=audit(1512572031.947:381): pid=12326 uid=0 auid=1000 ses=1 msg='op=PAM:setcred acct="test" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=USER_END msg=audit(1512572031.951:382): pid=12142 uid=0 auid=1000 ses=1 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'


(and the whole session that did that is killed)
Download as text