> On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote:
> > - change systems logs owners from root:root mode 600 to root:adm mode
> > 640 (or something similar)
>
> So, what would be the implementation of this? How would logcheck or any log
> reader
> work. Would they be setgid applications or would they start as root and
> change to this
> new account?
>
> There are things in the logs that ordinary users cannot have access to to by
> default.
>
> -Steve
+1 to this.
Setting a log reader (logfetch, in my case, from Xymon née Hobbit) 2700
<designateduser>:adm and making logs I want it to be able to read chgrp adm and
chmod g+r seemed to be the easiest and most secure way to deal with the
situation. Nothing ever needs root privs and existing access controls suffice.
> The simple concept is as depicted above: create a group "logreader" and
> change group ownership of all(/some) system logs to logreader.
>
> Matthias
One benefit of setgid over simply giving an account "logreader" group
membership is that that even that user account doesn't have general read access
to logs outside of a specific escalation point (in this case, the setgid
logfetch tool). To the extent a security review of the log reading code is
needed, it makes auditing easier.
If there are multiple levels of log security needed (secure vs. everything
else?) one could use multiple setgid tools ("logreader" or "daemon" for regular
logs, "adm" for secure ones?), or I suppose just have different users with
different group/secondary group memberships.
Either way, one should still never need to make a tool setuid root to read a
log we authorized it to.
See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3373 for
logfetch, which prompted this
Japheth Cleaver
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
