lib: use thread-safe passwd and group lookup

[cgzones]

Use getpwuid_r(3) and getgrnam_r(3) instead of their non thread-safe version to protect against concurrent usage, not necessarily within libaudit.

[stevegrubb]

To my knowledge, these functions are only used by auditctl. Since the kernel only knows numbers, we convert names/groups in the rules to numbers. I'm wondering if I should mark a bunch of these functions deprecated and then pull them into a private library some time in the future?

[cgzones]

There seem to be several third-party users of audit_rule_fieldpair_data(3):

• https://github.com/ElementAI/osquery/blob/04b51fd450b699cc24f46604fc4576240b7a06e1/osquery/events/linux/audit.cpp#L271
• https://github.com/Azure/Azure-IoT-Security-Agent-C/blob/43bbc87ee8c1061925835d01f0b4cc1dbd089874/src/agent/src/os_utils/linux/audit/audit_control.c#L87
• https://github.com/buzz/e4rat/blob/7d2f33b578afc8df8ab7e3cd5ab77668aab53fc4/src/listener.cc#L186
• https://github.com/tricktux/file-audit-system/blob/4b302ca7b81b388b3826f3125b58c677e0f40db9/src/monitor.cpp#L62
• https://github.com/wazuh/wazuh/blob/0e4c42ae116e9d226a9000d359f1f0704175fc66/src/shared/audit_op.c#L314

[stevegrubb]

Thanks for the info. I never would have guessed. :-) I'll review this more tomorrow.

[stevegrubb]

OK, looks good to me. Thanks!