-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/03/11 23:07, Cleaver, Japheth wrote:
> On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote:
>> - change systems logs owners from root:root mode 600 to root:adm mode
>> 640 (or something similar)
>
snip
One benefit of setgid over simply giving an account
"logreader" group membership is that that even that user account doesn't
have general read access to logs outside of a specific escalation point (in this case, the
setgid logfetch tool). To the extent a security review of the log reading code is needed,
it makes auditing easier.
If there are multiple levels of log security needed (secure vs. everything else?) one
could use multiple setgid tools ("logreader" or "daemon" for regular
logs, "adm" for secure ones?), or I suppose just have different users with
different group/secondary group memberships.
Either way, one should still never need to make a tool setuid root to read a log we
authorized it to.
See also
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3373 for logfetch, which
prompted this
Japheth Cleaver
since logs currently are only readable and writable for root user
(not
group), setgid wouldn't work. Thinking it over, I still would use a
special log reader group (and putting users for log reading programs
into this group).
logcheck e.g. uses a small tool (logtail) for reading logs. If we simply
setgid logtail, everybody could read logs. Still I can not see an
advantage of setgid.
This will touch *all* log files. Kevin Fenzi suggested, this should
become a feature (I think this is rather a bugfix than a feature, but
I'm not a fesco member), I started a Feature Page in the wiki:
https://fedoraproject.org/wiki/User:Mrunge/Logreader
it is far from complete, take it as work in progress.
Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNcNNsAAoJEOnz8qQwcaIWfY0IAI//91z/mGWF/DTTELYIKEu9
tcOiB5eFnL0Bn1cYQL6GUKUtZ3CFsSh7EHJjVE3mYfvBiSCD+O6eyqHgGQab1Kac
m/xhpVr5hOnU7py3NHN8tU6O23tnUkV2iUy23vUiJIkMnh5EYld70Od2Y6614XfU
619lmU+EJHR70QKZokVxEMbuxi75LWkFfNJ30OBv5dDL19KLl2XP9oiYoRi+eHtz
TcieCdMT3ZWfWYzoFj3tOEBWLfcZZYRCowVd6PnaPAEEqFkx62YewUcgQvewL8FM
Jo+PySiHeJDYIHBVg2bzSVG/vBSasDONrgq/36osLKOE1m2+5VaAdsK/Z038fII=
=uOTy
-----END PGP SIGNATURE-----