9:13 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
currently, I'm the maintainer of logcheck. It parses system logs and
sends mails defined by regular expressions.
It's a package mostly adopted for debian. The README says, it is
recommended to create an own user and put it into adm group. This leads
to some problems, because fedoras system logs are currently owned
root:root and currently just readable by user.
Three possible solutions appear:
- - make logcheck owned by root (against package maintainers hint)
- - make the log reading program use the sticky option
- - change systems logs owners from root:root mode 600 to root:adm mode
640 (or something similar)
I would prefer the latter. What package owns "/var/log/messages"?
(Who to contact...?)
yum provides "*/messages" did not list it. Is it really unowned?
What do you think? Did I miss something? Has anybody of you another hint?
Thanks,
Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNZ2SoAAoJEOnz8qQwcaIWTI0H/0P3rL7bBhcbfLP85wKHt8TK
STEv8xQSu8c1vxUZdr/acyOM/18iTfEl/rH9odj07qoHvwiuUl7ZD+GRgLlI/Geo
xKhDquRfcm6qZeBAAYV/oHsbFywl4nkRmftfndTwgibyKk9XN4bkPes99x/k5yxy
qG65tdanoBQP9nRPLLjoeZKxtU49lYMCEZve0NQY8hfgBEsh7zyLRkpUcBlQ/pi2
Ipcf/sKdAJ8fxVgr5mvKKjUxfA2C8kSE/n7rmNypQVWdu7e+Kn+Pog0VDmvmKD9j
mxp85+JA1XIL8HnOsj1VeiymvYm4M5aczH/gXP5cGWg7eJHvDTpJP5uVWIL10mA=
=Sa/e
-----END PGP SIGNATURE-----
10:39 a.m.
On 02/25/2011 09:13 AM, Matthias Runge wrote:
yum provides "*/messages" did not list it. Is it really
unowned?
In order to give Big Brother read access to /var/log/messages I have
added:
create 640 root wheel
to /etc/logrotate.d/syslog and have added bbuser to the wheel group.
That file is owned by rsyslog in Fedora and sysklogd in RHEL.
Mogens
--
Mogens Kjaer, mk(a)lemo.dk
http://www.lemo.dk
3:50 p.m.
Dne 25.2.2011 10:39, Mogens Kjaer napsal(a):
create 640 root wheel
to /etc/logrotate.d/syslog and have added bbuser to the wheel group.
That file is owned by rsyslog in Fedora and sysklogd in RHEL.
I am not sure whether wheel is the correct group ... I don't think we
should mix together two different things (who can use sudo, who can see
logs).
Matěj
5:21 p.m.
On Fri, Feb 25, 2011 at 03:50:57PM +0100, Matej Cepl wrote:
Dne 25.2.2011 10:39, Mogens Kjaer napsal(a):
> create 640 root wheel
>
> to /etc/logrotate.d/syslog and have added bbuser to the wheel group.
>
> That file is owned by rsyslog in Fedora and sysklogd in RHEL.
I am not sure whether wheel is the correct group ... I don't think we
should mix together two different things (who can use sudo, who can see
logs).
I like a special group just for accounts that should be able to read all
log files, too, e.g. a group logread.
Regards
Till
10:44 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/25/11 17:21, Till Maas wrote:
On Fri, Feb 25, 2011 at 03:50:57PM +0100, Matej Cepl wrote:
> Dne 25.2.2011 10:39, Mogens Kjaer napsal(a):
>> create 640 root wheel
>>
>> to /etc/logrotate.d/syslog and have added bbuser to the wheel group.
>>
>> That file is owned by rsyslog in Fedora and sysklogd in RHEL.
>
> I am not sure whether wheel is the correct group ... I don't think we
> should mix together two different things (who can use sudo, who can see
> logs).
I like a special group just for accounts that should be able to read all
log files, too, e.g. a group logread.
Regards
Till
That sounds good to me. Should we include a group "logwriter" or
"logger" for completeness?
Who is in charge to change this? ... which way do I/we have to go to
reach this aim? Is this just contacting rsyslog-maintainer to change
ownership? I suppose not.
Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNaMtlAAoJEOnz8qQwcaIWhxgH/2omTQsYaQkb4mRQz5zSrbms
1HWrlkUfo+7OQ4dIZfe4ufbbhkSoyVg4fbDZIrtrAhZQvHfg1yTP0b2t0SkAE5g3
/6pXFRRsHh+7S4yq5yWoTE26SzeIDYwFxWEVv9DXjQ4J3xxKIXgkS9MoA8H2tSoO
DbcrYYFudc1j+nvTwSBrVhvJh7BNCT+dMNc+z221iCx1RPe2P7BUlI/EHzDZpi2F
P40d6Gs9Ii4GKqp4VaU7lC9ylGUId1WkYiVTjx9ykyelfGqUy1W6YTtYugXqkZRJ
haJQjow0WrxKvFVw4DHhi0ZP3RkPO/F8g6PHU8yBBo7W+wJ9Ex4QTlccWc5pHRU=
=wUQ0
-----END PGP SIGNATURE-----
8:30 p.m.
On Sat, 26 Feb 2011 10:44:05 +0100
Matthias Runge <mrunge(a)matthias-runge.de> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/25/11 17:21, Till Maas wrote:
...snip...
> I like a special group just for accounts that should be able to
> read all log files, too, e.g. a group logread.
>
> Regards
> Till
>
That sounds good to me. Should we include a group "logwriter" or
"logger" for completeness?
Who is in charge to change this? ... which way do I/we have to go to
reach this aim? Is this just contacting rsyslog-maintainer to change
ownership? I suppose not.
Were you thinking of just /var/log/messages? or all log files?
Or all syslog written files? or ?
If you are talking all log files, I would suggest making this into a
feature for f16, since it's going to require coordinating a bunch of
changes of packages to have the right group ownership of their log
files.
kevin
kevin
11:20 p.m.
On Sun, Feb 27, 2011 at 12:30:43PM -0700, Kevin Fenzi wrote:
Were you thinking of just /var/log/messages? or all log files?
Or all syslog written files? or ?
If you are talking all log files, I would suggest making this into a
feature for f16, since it's going to require coordinating a bunch of
changes of packages to have the right group ownership of their log
files.
It is only required for log files that are not world-readable. And it
can be easily implemented for log files that are not readable for any
group.
Regards
Till
10:56 a.m.
On Sun, 2011-02-27 at 23:20 +0100, Till Maas wrote:
On Sun, Feb 27, 2011 at 12:30:43PM -0700, Kevin Fenzi wrote:
> Were you thinking of just /var/log/messages? or all log files?
> Or all syslog written files? or ?
>
> If you are talking all log files, I would suggest making this into a
> feature for f16, since it's going to require coordinating a bunch of
> changes of packages to have the right group ownership of their log
> files.
It is only required for log files that are not world-readable.
...
The existence of /var/log/secure suggests that the policy is not as
simple as one group owning all file files.
--
Glen Turner
www.gdt.id.au/~gdt
6:25 p.m.
On Mon, Feb 28, 2011 at 08:26:05PM +1030, Glen Turner wrote:
On Sun, 2011-02-27 at 23:20 +0100, Till Maas wrote:
> On Sun, Feb 27, 2011 at 12:30:43PM -0700, Kevin Fenzi wrote:
>
> > Were you thinking of just /var/log/messages? or all log files?
> > Or all syslog written files? or ?
> >
> > If you are talking all log files, I would suggest making this into a
> > feature for f16, since it's going to require coordinating a bunch of
> > changes of packages to have the right group ownership of their log
> > files.
>
> It is only required for log files that are not world-readable.
...
The existence of /var/log/secure suggests that the policy is not as
simple as one group owning all file files.
To solve the current problem, it is as simple as this. If you want to
solve other problems, you should name them first.
Regards
Till
5:46 p.m.
On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote:
- change systems logs owners from root:root mode 600 to root:adm
mode
640 (or something similar)
So, what would be the implementation of this? How would logcheck or any log reader
work. Would they be setgid applications or would they start as root and change to this
new account?
There are things in the logs that ordinary users cannot have access to to by default.
-Steve
6:24 p.m.
On Mon, Feb 28, 2011 at 11:46:13AM -0500, Steve Grubb wrote:
On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote:
> - change systems logs owners from root:root mode 600 to root:adm mode
> 640 (or something similar)
So, what would be the implementation of this? How would logcheck or any log reader
work. Would they be setgid applications or would they start as root and change to this
new account?
Usually they are run as the required user in a cron job and the admin
(root) needs to configure / install them to run. For security reasons,
logcheck should not be run with root permissions, but it still needs
access to the log files to process them.
Regards
Till
9:23 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/28/11 17:46, Steve Grubb wrote:
On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote:
> - change systems logs owners from root:root mode 600 to root:adm mode
> 640 (or something similar)
So, what would be the implementation of this? How would logcheck or any log reader
work. Would they be setgid applications or would they start as root and change to this
new account?
There are things in the logs that ordinary users cannot have access to to by default.
-Steve
I try to keep this simple: normal users don't get into those groups.
Installing logcheck etc. will require some administrative rights, there
is no disclosure of something that should be hidden.
I won't give logcheck etc. no setuid/setguid (why should we do so, we
don't need to!)
The simple concept is as depicted above: create a group "logreader" and
change group ownership of all(/some) system logs to logreader.
That's it. I know, there are other applications, like logwatch. This
may/could be changed not to require root permission.
It's implementation will be very simple and fast. AFAIK there will be
no breakage of existing packages, but we gain more flexibility.
Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNbAQuAAoJEOnz8qQwcaIW9JYH/22h/3/6oyn+jmDq1bBavx4c
WYdCwS3+nPK5kd2KVv7xhS1oTLDmxwK28PXKC9wCGTqSv7ox66Uhq5Hh1aCVea0m
HFxCOcm+FSknZaYiCFAwW05pmB4XjfWZlFo08gQHdw6W2YUzLnusTy8R6NKdR+Ws
CA27AkI7vyZZRDoivvDdlnpRW8ub0Er+3xGJdGQBzu268ejPyuF0DCkCkrnclcVH
moZW4bIK0GgMTVBXjPm1yg3pELU6mzpgQqG4S4YYCo0Cdla7VNAfelFxZbIO+2Yt
LMVSkwCajQdUgT49UsmUgLS2TBZIqf8UmB3UuXe5O4eVJmsERwiKKjtgGIpsem8=
=mJAa
-----END PGP SIGNATURE-----
11:07 p.m.
On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote:
> - change systems logs owners from root:root mode 600 to root:adm mode
> 640 (or something similar)
So, what would be the implementation of this? How would logcheck or any log reader
work. Would they be setgid applications or would they start as root and change to this
new account?
There are things in the logs that ordinary users cannot have access to to by default.
-Steve
+1 to this.
Setting a log reader (logfetch, in my case, from Xymon née Hobbit) 2700
<designateduser>:adm and making logs I want it to be able to read chgrp adm and
chmod g+r seemed to be the easiest and most secure way to deal with the situation. Nothing
ever needs root privs and existing access controls suffice.
The simple concept is as depicted above: create a group
"logreader" and
change group ownership of all(/some) system logs to logreader.
Matthias
One benefit of setgid over simply giving an account "logreader" group membership
is that that even that user account doesn't have general read access to logs outside
of a specific escalation point (in this case, the setgid logfetch tool). To the extent a
security review of the log reading code is needed, it makes auditing easier.
If there are multiple levels of log security needed (secure vs. everything else?) one
could use multiple setgid tools ("logreader" or "daemon" for regular
logs, "adm" for secure ones?), or I suppose just have different users with
different group/secondary group memberships.
Either way, one should still never need to make a tool setuid root to read a log we
authorized it to.
See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3373 for logfetch, which
prompted this
Japheth Cleaver
12:56 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/03/11 23:07, Cleaver, Japheth wrote:
> On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote:
>> - change systems logs owners from root:root mode 600 to root:adm mode
>> 640 (or something similar)
>
snip
One benefit of setgid over simply giving an account
"logreader" group membership is that that even that user account doesn't
have general read access to logs outside of a specific escalation point (in this case, the
setgid logfetch tool). To the extent a security review of the log reading code is needed,
it makes auditing easier.
If there are multiple levels of log security needed (secure vs. everything else?) one
could use multiple setgid tools ("logreader" or "daemon" for regular
logs, "adm" for secure ones?), or I suppose just have different users with
different group/secondary group memberships.
Either way, one should still never need to make a tool setuid root to read a log we
authorized it to.
See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3373 for logfetch, which
prompted this
Japheth Cleaver
since logs currently are only readable and writable for root user
(not
group), setgid wouldn't work. Thinking it over, I still would use a
special log reader group (and putting users for log reading programs
into this group).
logcheck e.g. uses a small tool (logtail) for reading logs. If we simply
setgid logtail, everybody could read logs. Still I can not see an
advantage of setgid.
This will touch *all* log files. Kevin Fenzi suggested, this should
become a feature (I think this is rather a bugfix than a feature, but
I'm not a fesco member), I started a Feature Page in the wiki:
https://fedoraproject.org/wiki/User:Mrunge/Logreader
it is far from complete, take it as work in progress.
Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNcNNsAAoJEOnz8qQwcaIWfY0IAI//91z/mGWF/DTTELYIKEu9
tcOiB5eFnL0Bn1cYQL6GUKUtZ3CFsSh7EHJjVE3mYfvBiSCD+O6eyqHgGQab1Kac
m/xhpVr5hOnU7py3NHN8tU6O23tnUkV2iUy23vUiJIkMnh5EYld70Od2Y6614XfU
619lmU+EJHR70QKZokVxEMbuxi75LWkFfNJ30OBv5dDL19KLl2XP9oiYoRi+eHtz
TcieCdMT3ZWfWYzoFj3tOEBWLfcZZYRCowVd6PnaPAEEqFkx62YewUcgQvewL8FM
Jo+PySiHeJDYIHBVg2bzSVG/vBSasDONrgq/36osLKOE1m2+5VaAdsK/Z038fII=
=uOTy
-----END PGP SIGNATURE-----
4800
days inactive
4807
days old
14 comments
8 participants
participants (8)
-
Cleaver, Japheth -
Glen Turner -
Kevin Fenzi -
Matej Cepl -
Matthias Runge -
Mogens Kjaer -
Steve Grubb -
Till Maas