Access rights for system logs
mrunge at matthias-runge.de
Mon Feb 28 20:23:15 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 02/28/11 17:46, Steve Grubb wrote:
> On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote:
>> - change systems logs owners from root:root mode 600 to root:adm mode
>> 640 (or something similar)
> So, what would be the implementation of this? How would logcheck or any log reader
> work. Would they be setgid applications or would they start as root and change to this
> new account?
> There are things in the logs that ordinary users cannot have access to to by default.
I try to keep this simple: normal users don't get into those groups.
Installing logcheck etc. will require some administrative rights, there
is no disclosure of something that should be hidden.
I won't give logcheck etc. no setuid/setguid (why should we do so, we
don't need to!)
The simple concept is as depicted above: create a group "logreader" and
change group ownership of all(/some) system logs to logreader.
That's it. I know, there are other applications, like logwatch. This
may/could be changed not to require root permission.
It's implementation will be very simple and fast. AFAIK there will be
no breakage of existing packages, but we gain more flexibility.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the devel