Access rights for system logs
Matthias Runge
mrunge at matthias-runge.de
Fri Mar 4 11:56:28 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/03/11 23:07, Cleaver, Japheth wrote:
>> On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote:
>>> - change systems logs owners from root:root mode 600 to root:adm mode
>>> 640 (or something similar)
>>
snip
> One benefit of setgid over simply giving an account "logreader" group membership is that that even that user account doesn't have general read access to logs outside of a specific escalation point (in this case, the setgid logfetch tool). To the extent a security review of the log reading code is needed, it makes auditing easier.
>
> If there are multiple levels of log security needed (secure vs. everything else?) one could use multiple setgid tools ("logreader" or "daemon" for regular logs, "adm" for secure ones?), or I suppose just have different users with different group/secondary group memberships.
>
> Either way, one should still never need to make a tool setuid root to read a log we authorized it to.
>
> See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3373 for logfetch, which prompted this
>
>
> Japheth Cleaver
since logs currently are only readable and writable for root user (not
group), setgid wouldn't work. Thinking it over, I still would use a
special log reader group (and putting users for log reading programs
into this group).
logcheck e.g. uses a small tool (logtail) for reading logs. If we simply
setgid logtail, everybody could read logs. Still I can not see an
advantage of setgid.
This will touch *all* log files. Kevin Fenzi suggested, this should
become a feature (I think this is rather a bugfix than a feature, but
I'm not a fesco member), I started a Feature Page in the wiki:
https://fedoraproject.org/wiki/User:Mrunge/Logreader
it is far from complete, take it as work in progress.
Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNcNNsAAoJEOnz8qQwcaIWfY0IAI//91z/mGWF/DTTELYIKEu9
tcOiB5eFnL0Bn1cYQL6GUKUtZ3CFsSh7EHJjVE3mYfvBiSCD+O6eyqHgGQab1Kac
m/xhpVr5hOnU7py3NHN8tU6O23tnUkV2iUy23vUiJIkMnh5EYld70Od2Y6614XfU
619lmU+EJHR70QKZokVxEMbuxi75LWkFfNJ30OBv5dDL19KLl2XP9oiYoRi+eHtz
TcieCdMT3ZWfWYzoFj3tOEBWLfcZZYRCowVd6PnaPAEEqFkx62YewUcgQvewL8FM
Jo+PySiHeJDYIHBVg2bzSVG/vBSasDONrgq/36osLKOE1m2+5VaAdsK/Z038fII=
=uOTy
-----END PGP SIGNATURE-----
More information about the devel
mailing list