Re: Access rights for system logs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/11 23:07, Cleaver, Japheth wrote: On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote: - change systems logs owners from root:root mode 600 to root:adm mode 640 (or something similar) snip One benefit of setgid over simply giving an account logreader group membership is that that even that user account doesn't have general read access to logs outside of a specific escalation point (in this case, the setgid logfetch tool). To the extent a security review of the log reading code is needed, it makes auditing easier. If there are multiple levels of log security needed (secure vs. everything else?) one could use multiple setgid tools (logreader or daemon for regular logs, adm for secure ones?), or I suppose just have different users with different group/secondary group memberships. Either way, one should still never need to make a tool setuid root to read a log we authorized it to. See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3373 for logfetch, which prompted this Japheth Cleaver since logs currently are only readable and writable for root user (not group), setgid wouldn't work. Thinking it over, I still would use a special log reader group (and putting users for log reading programs into this group). logcheck e.g. uses a small tool (logtail) for reading logs. If we simply setgid logtail, everybody could read logs. Still I can not see an advantage of setgid. This will touch *all* log files. Kevin Fenzi suggested, this should become a feature (I think this is rather a bugfix than a feature, but I'm not a fesco member), I started a Feature Page in the wiki: https://fedoraproject.org/wiki/User:Mrunge/Logreader it is far from complete, take it as work in progress. Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNcNNsAAoJEOnz8qQwcaIWfY0IAI//91z/mGWF/DTTELYIKEu9 tcOiB5eFnL0Bn1cYQL6GUKUtZ3CFsSh7EHJjVE3mYfvBiSCD+O6eyqHgGQab1Kac m/xhpVr5hOnU7py3NHN8tU6O23tnUkV2iUy23vUiJIkMnh5EYld70Od2Y6614XfU 619lmU+EJHR70QKZokVxEMbuxi75LWkFfNJ30OBv5dDL19KLl2XP9oiYoRi+eHtz TcieCdMT3ZWfWYzoFj3tOEBWLfcZZYRCowVd6PnaPAEEqFkx62YewUcgQvewL8FM Jo+PySiHeJDYIHBVg2bzSVG/vBSasDONrgq/36osLKOE1m2+5VaAdsK/Z038fII= =uOTy -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
RE: Access rights for system logs
On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote: - change systems logs owners from root:root mode 600 to root:adm mode 640 (or something similar) So, what would be the implementation of this? How would logcheck or any log reader work. Would they be setgid applications or would they start as root and change to this new account? There are things in the logs that ordinary users cannot have access to to by default. -Steve +1 to this. Setting a log reader (logfetch, in my case, from Xymon née Hobbit) 2700 designateduser:adm and making logs I want it to be able to read chgrp adm and chmod g+r seemed to be the easiest and most secure way to deal with the situation. Nothing ever needs root privs and existing access controls suffice. The simple concept is as depicted above: create a group logreader and change group ownership of all(/some) system logs to logreader. Matthias One benefit of setgid over simply giving an account logreader group membership is that that even that user account doesn't have general read access to logs outside of a specific escalation point (in this case, the setgid logfetch tool). To the extent a security review of the log reading code is needed, it makes auditing easier. If there are multiple levels of log security needed (secure vs. everything else?) one could use multiple setgid tools (logreader or daemon for regular logs, adm for secure ones?), or I suppose just have different users with different group/secondary group memberships. Either way, one should still never need to make a tool setuid root to read a log we authorized it to. See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3373 for logfetch, which prompted this Japheth Cleaver -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Access rights for system logs
On Sun, 2011-02-27 at 23:20 +0100, Till Maas wrote: On Sun, Feb 27, 2011 at 12:30:43PM -0700, Kevin Fenzi wrote: Were you thinking of just /var/log/messages? or all log files? Or all syslog written files? or ? If you are talking all log files, I would suggest making this into a feature for f16, since it's going to require coordinating a bunch of changes of packages to have the right group ownership of their log files. It is only required for log files that are not world-readable. ... The existence of /var/log/secure suggests that the policy is not as simple as one group owning all file files. -- Glen Turner www.gdt.id.au/~gdt -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Access rights for system logs
On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote: - change systems logs owners from root:root mode 600 to root:adm mode 640 (or something similar) So, what would be the implementation of this? How would logcheck or any log reader work. Would they be setgid applications or would they start as root and change to this new account? There are things in the logs that ordinary users cannot have access to to by default. -Steve -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Access rights for system logs
On Mon, Feb 28, 2011 at 11:46:13AM -0500, Steve Grubb wrote: On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote: - change systems logs owners from root:root mode 600 to root:adm mode 640 (or something similar) So, what would be the implementation of this? How would logcheck or any log reader work. Would they be setgid applications or would they start as root and change to this new account? Usually they are run as the required user in a cron job and the admin (root) needs to configure / install them to run. For security reasons, logcheck should not be run with root permissions, but it still needs access to the log files to process them. Regards Till pgpOwULgkqLZB.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Access rights for system logs
On Mon, Feb 28, 2011 at 08:26:05PM +1030, Glen Turner wrote: On Sun, 2011-02-27 at 23:20 +0100, Till Maas wrote: On Sun, Feb 27, 2011 at 12:30:43PM -0700, Kevin Fenzi wrote: Were you thinking of just /var/log/messages? or all log files? Or all syslog written files? or ? If you are talking all log files, I would suggest making this into a feature for f16, since it's going to require coordinating a bunch of changes of packages to have the right group ownership of their log files. It is only required for log files that are not world-readable. ... The existence of /var/log/secure suggests that the policy is not as simple as one group owning all file files. To solve the current problem, it is as simple as this. If you want to solve other problems, you should name them first. Regards Till pgppabP3SMeNc.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Access rights for system logs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/28/11 17:46, Steve Grubb wrote: On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote: - change systems logs owners from root:root mode 600 to root:adm mode 640 (or something similar) So, what would be the implementation of this? How would logcheck or any log reader work. Would they be setgid applications or would they start as root and change to this new account? There are things in the logs that ordinary users cannot have access to to by default. -Steve I try to keep this simple: normal users don't get into those groups. Installing logcheck etc. will require some administrative rights, there is no disclosure of something that should be hidden. I won't give logcheck etc. no setuid/setguid (why should we do so, we don't need to!) The simple concept is as depicted above: create a group logreader and change group ownership of all(/some) system logs to logreader. That's it. I know, there are other applications, like logwatch. This may/could be changed not to require root permission. It's implementation will be very simple and fast. AFAIK there will be no breakage of existing packages, but we gain more flexibility. Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNbAQuAAoJEOnz8qQwcaIW9JYH/22h/3/6oyn+jmDq1bBavx4c WYdCwS3+nPK5kd2KVv7xhS1oTLDmxwK28PXKC9wCGTqSv7ox66Uhq5Hh1aCVea0m HFxCOcm+FSknZaYiCFAwW05pmB4XjfWZlFo08gQHdw6W2YUzLnusTy8R6NKdR+Ws CA27AkI7vyZZRDoivvDdlnpRW8ub0Er+3xGJdGQBzu268ejPyuF0DCkCkrnclcVH moZW4bIK0GgMTVBXjPm1yg3pELU6mzpgQqG4S4YYCo0Cdla7VNAfelFxZbIO+2Yt LMVSkwCajQdUgT49UsmUgLS2TBZIqf8UmB3UuXe5O4eVJmsERwiKKjtgGIpsem8= =mJAa -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Access rights for system logs
On Sat, 26 Feb 2011 10:44:05 +0100 Matthias Runge mru...@matthias-runge.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/25/11 17:21, Till Maas wrote: ...snip... I like a special group just for accounts that should be able to read all log files, too, e.g. a group logread. Regards Till That sounds good to me. Should we include a group logwriter or logger for completeness? Who is in charge to change this? ... which way do I/we have to go to reach this aim? Is this just contacting rsyslog-maintainer to change ownership? I suppose not. Were you thinking of just /var/log/messages? or all log files? Or all syslog written files? or ? If you are talking all log files, I would suggest making this into a feature for f16, since it's going to require coordinating a bunch of changes of packages to have the right group ownership of their log files. kevin kevin signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Access rights for system logs
On Sun, Feb 27, 2011 at 12:30:43PM -0700, Kevin Fenzi wrote: Were you thinking of just /var/log/messages? or all log files? Or all syslog written files? or ? If you are talking all log files, I would suggest making this into a feature for f16, since it's going to require coordinating a bunch of changes of packages to have the right group ownership of their log files. It is only required for log files that are not world-readable. And it can be easily implemented for log files that are not readable for any group. Regards Till pgpXg9ITVd9Rb.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Access rights for system logs
Dne 25.2.2011 09:13, Matthias Runge napsal(a): What do you think? Did I miss something? Has anybody of you another hint? No detailed analysis, but just brief +1 (unless some terrible issue is discovered in further discussion) ... I really liked this on Debian. Matěj -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Access rights for system logs
On 02/25/2011 09:13 AM, Matthias Runge wrote: yum provides */messages did not list it. Is it really unowned? In order to give Big Brother read access to /var/log/messages I have added: create 640 root wheel to /etc/logrotate.d/syslog and have added bbuser to the wheel group. That file is owned by rsyslog in Fedora and sysklogd in RHEL. Mogens -- Mogens Kjaer, m...@lemo.dk http://www.lemo.dk -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Access rights for system logs
Dne 25.2.2011 10:39, Mogens Kjaer napsal(a): create 640 root wheel to /etc/logrotate.d/syslog and have added bbuser to the wheel group. That file is owned by rsyslog in Fedora and sysklogd in RHEL. I am not sure whether wheel is the correct group ... I don't think we should mix together two different things (who can use sudo, who can see logs). Matěj -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Access rights for system logs
On Fri, Feb 25, 2011 at 03:50:57PM +0100, Matej Cepl wrote: Dne 25.2.2011 10:39, Mogens Kjaer napsal(a): create 640 root wheel to /etc/logrotate.d/syslog and have added bbuser to the wheel group. That file is owned by rsyslog in Fedora and sysklogd in RHEL. I am not sure whether wheel is the correct group ... I don't think we should mix together two different things (who can use sudo, who can see logs). I like a special group just for accounts that should be able to read all log files, too, e.g. a group logread. Regards Till pgpAxhzlaryyE.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel