Access rights for system logs

Matthias Runge mrunge at matthias-runge.de
Mon Feb 28 20:23:15 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/28/11 17:46, Steve Grubb wrote:
> On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote:
>> - change systems logs owners from root:root mode 600 to root:adm mode
>> 640 (or something similar)
> 
> So, what would be the implementation of this? How would logcheck or any log reader 
> work. Would they be setgid applications or would they start as root and change to this 
> new account?
> 
> There are things in the logs that ordinary users cannot have access to to by default.
> 
> -Steve
I try to keep this simple: normal users don't get into those groups.
Installing logcheck etc. will require some administrative rights, there
is no disclosure of something that should be hidden.

I won't give logcheck etc. no setuid/setguid (why should we do so, we
don't need to!)
The simple concept is as depicted above: create a group "logreader" and
change group ownership of all(/some) system logs to logreader.

That's it. I know, there are other applications, like logwatch. This
may/could be changed not to require root permission.

It's implementation will be very simple and fast. AFAIK there will be
no breakage of existing packages, but we gain more flexibility.

Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNbAQuAAoJEOnz8qQwcaIW9JYH/22h/3/6oyn+jmDq1bBavx4c
WYdCwS3+nPK5kd2KVv7xhS1oTLDmxwK28PXKC9wCGTqSv7ox66Uhq5Hh1aCVea0m
HFxCOcm+FSknZaYiCFAwW05pmB4XjfWZlFo08gQHdw6W2YUzLnusTy8R6NKdR+Ws
CA27AkI7vyZZRDoivvDdlnpRW8ub0Er+3xGJdGQBzu268ejPyuF0DCkCkrnclcVH
moZW4bIK0GgMTVBXjPm1yg3pELU6mzpgQqG4S4YYCo0Cdla7VNAfelFxZbIO+2Yt
LMVSkwCajQdUgT49UsmUgLS2TBZIqf8UmB3UuXe5O4eVJmsERwiKKjtgGIpsem8=
=mJAa
-----END PGP SIGNATURE-----


More information about the devel mailing list