On 2004-02-15, Colin Watson penned: > On Sun, Feb 15, 2004 at 12:20:26PM -0700, Monique Y. Herman wrote: >> On 2004-02-15, Joey Hess penned: >> > That would be a violation of debian policy, and is not the case on >> > any of my systems. >> > >> > -rwxr-xr-x 1 root root 33K Oct 9 2002 >> > /usr/sbin/logrotate* >> >> Well, Bastille locked those permissions down for me. > > Oh, God, why on earth?
Well, this was in my /var/log/Bastille/last.config : # Q: Would you like to set more restrictive permissions on the # administration utilities? [N] FilePermissions.generalperms_1_1="Y" And this was in my action-log: {Sun Dec 21 22:50:35 2003} Answer to question FilePermissions.generalperms_1_1 is "Y". Followed by a whole slew of chmods, logrotate being among them. >> The question is, was Bastille being overly paranoid, or can logrotate >> be exploited when it's world-executable? > > No executable that isn't set-user-id or set-group-id can ever let you > do anything you couldn't do yourself anyway. This is why Debian policy > says that non-set-id executables shouldn't have restrictive > permissions. > > I'd file a bug with the Bastille people. > Is this really a bug, or just a bad/pointless idea? I mean, it asked me if I should lock these tools down, and I said yes. I can always loosen up permissions on a case by case basis. I should probably file a wishlist item, in any case, that the Bastille interface enumerate the files it's going to chmod if you answer 'yes' to this question. -- monique -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]