Re: /var/log/messages permissions in 4.2
On Thu, Dec 06, 2007 at 07:05:07AM -0500, Nick Holland wrote: > Douglas A. Tutty wrote: > > On Tue, Dec 04, 2007 at 02:30:28PM -0800, Bryan Irvine wrote: > >> > What would be the rationale for 640? ;) > >> > >> Well according to cvs log: > >> "it can be easily changed if you like it another way. millert," > >> > >> So I guess one rationale might be as simple as "because" ;) > > > > Does anything get posted to the log that a normal user should not see? > > I suppose it depends on the machine's context. Can traffic analysis on > > the log be used to determine what another user is doing any more than > > watching top? If you're concerned about normal users reading logs, you > > need to look at those logs and determine why you are concerned and > > determine the implcations of those concerns. > > The other question: > > Does the stuff there need to be seen so often that administrative users > might be tempted to do a "sudo -s" over "sudo more ...", and then do > something stupid that would have been a non-event if they weren't root? > > Difficult to maintain does NOT equal secure. > Difficult to maintain usually means "improperly maintained", and that > usually means insecure. > > IF you are producing messages output that the general users should NOT > be seeing, go ahead, change the access permissions! If you look at the > number of systems that either have > 1) only administrative users or > 2) have nothing secret going to /var/log/messages > you have probably covered the vast majority of OpenBSD systems. So, I > don't want to see the vast majority of systems made more difficult to > administer and perhaps prompting the user to "live" as root more than > needed. > > Glancing through the /var/log/messages files on a few of my machines, > I found nothing I wouldn't be more than happy to post to the Internet, > other than the rather anemic specs might be a bit embarrassing, but I > found that I was glad I didn't have to have root privs to look at > them. I think you may have overstated things a bit. They are readable by group wheel. Anyone who you could set up with sudo to read the logs could be in group wheel. Unless you have layers of admins, but then you would probably add an 'adm' group and change the file's group from wheel to adm. Doug.
Re: /var/log/messages permissions in 4.2
Douglas A. Tutty wrote: > On Tue, Dec 04, 2007 at 02:30:28PM -0800, Bryan Irvine wrote: >> > What would be the rationale for 640? ;) >> >> Well according to cvs log: >> "it can be easily changed if you like it another way. millert," >> >> So I guess one rationale might be as simple as "because" ;) >> > > Does anything get posted to the log that a normal user should not see? > I suppose it depends on the machine's context. Can traffic analysis on > the log be used to determine what another user is doing any more than > watching top? If you're concerned about normal users reading logs, you > need to look at those logs and determine why you are concerned and > determine the implcations of those concerns. > > Doug. The other question: Does the stuff there need to be seen so often that administrative users might be tempted to do a "sudo -s" over "sudo more ...", and then do something stupid that would have been a non-event if they weren't root? Difficult to maintain does NOT equal secure. Difficult to maintain usually means "improperly maintained", and that usually means insecure. IF you are producing messages output that the general users should NOT be seeing, go ahead, change the access permissions! If you look at the number of systems that either have 1) only administrative users or 2) have nothing secret going to /var/log/messages you have probably covered the vast majority of OpenBSD systems. So, I don't want to see the vast majority of systems made more difficult to administer and perhaps prompting the user to "live" as root more than needed. Glancing through the /var/log/messages files on a few of my machines, I found nothing I wouldn't be more than happy to post to the Internet, other than the rather anemic specs might be a bit embarrassing, but I found that I was glad I didn't have to have root privs to look at them. Nick.
Re: /var/log/messages permissions in 4.2
On Tue, Dec 04, 2007 at 02:30:28PM -0800, Bryan Irvine wrote: > > What would be the rationale for 640? ;) > > Well according to cvs log: > "it can be easily changed if you like it another way. millert," > > So I guess one rationale might be as simple as "because" ;) > Does anything get posted to the log that a normal user should not see? I suppose it depends on the machine's context. Can traffic analysis on the log be used to determine what another user is doing any more than watching top? If you're concerned about normal users reading logs, you need to look at those logs and determine why you are concerned and determine the implcations of those concerns. Doug.
Re: /var/log/messages permissions in 4.2
> What would be the rationale for 640? ;) Well according to cvs log: "it can be easily changed if you like it another way. millert," So I guess one rationale might be as simple as "because" ;) -B
Re: /var/log/messages permissions in 4.2
On 04/12/2007, Constantine A. Murenin <[EMAIL PROTECTED]> wrote: > On 04/12/2007, Lars Noodin <[EMAIL PROTECTED]> wrote: > > I'm noticing that the messages log seems to be world readable in 4.2 > > e.g. > > -rw-r--r-- 1 root wheel 1801 Dec 4 17:51 messages > > > > What's up with that? Shouldn't it be set to 640? If not what is the > > rationale for 644? > > It has been like this for a very long time, since 2002-11 and OpenBSD 3.3. > > http://www.openbsd.org/cgi-bin/cvsweb/src/etc/newsyslog.conf#rev1.20 Actually, it was always rotated with 644 permissions, starting with NetBSD dated 1993. What would be the rationale for 640? ;) C.
Re: /var/log/messages permissions in 4.2
On 04/12/2007, Lars Noodin <[EMAIL PROTECTED]> wrote: > I'm noticing that the messages log seems to be world readable in 4.2 > e.g. > -rw-r--r-- 1 root wheel 1801 Dec 4 17:51 messages > > What's up with that? Shouldn't it be set to 640? If not what is the > rationale for 644? It has been like this for a very long time, since 2002-11 and OpenBSD 3.3. http://www.openbsd.org/cgi-bin/cvsweb/src/etc/newsyslog.conf#rev1.20 Cheers, Constantine.
/var/log/messages permissions in 4.2
I'm noticing that the messages log seems to be world readable in 4.2 e.g. -rw-r--r-- 1 root wheel 1801 Dec 4 17:51 messages What's up with that? Shouldn't it be set to 640? If not what is the rationale for 644? -Lars
