On Thu, Jan 12, 2006, Bernhard Reiter wrote:
> Am Mittwoch, 11. Januar 2006 20:01 schrieb Ralf S. Engelschall:
> > On Wed, Jan 11, 2006, Bernhard Reiter wrote:
> > > Am Mittwoch, 11. Januar 2006 15:34 schrieb Bernhard Reiter:
> > > > By default the /openpkgdir/var/postfix/log/postfix.log is word
> > > > readable. This gives users of the system
> > > > the possibility to do some sort of email traffic analysis
> > > > for email flowing through the system.
>
> > > > path="@l_prefix@/var/postfix/log/postfix.log",
> > > > perm=0644, monitor=3600
>
> > > > I suggest to change this to
> > > perm=0640
>
> > Hmmm... I see your point and from a paranoid security point of view the
> > file should be not world-readable.
>
> We found out, because accidently some Kolab Server were logging passwords
> which made it a real world critical problem.
> [...]
Sure, logged passwords are a critical issue, but, to be honest, this is
a security problem of the application (passwords should be never logged
anywhere at all) and not caused by the fact that the receiving logfile
is world-readable. Nevertheless we still have the general question what
about world-readable logfiles at all...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
The OpenPKG Project www.openpkg.org
User Communication List openpkg-users@openpkg.org
