systemd requires HTTP server and serves QR codes

Steve Clark sclark at netwolves.com
Tue Oct 9 19:44:45 UTC 2012


On 10/09/2012 02:17 PM, Lennart Poettering wrote:
> On Tue, 09.10.12 10:31, Matthew Miller (mattdm at fedoraproject.org) wrote:
>
>> On Tue, Oct 09, 2012 at 04:05:10PM +0200, Lennart Poettering wrote:
>> ?> On Tue, 09.10.12 09:49, Matthew Miller (mattdm at fedoraproject.org) wrote:
>>>> allowing regular users to do so. (Commonly currently accomplished by making
>>>> /var/log/messages owned and readable by the wheel group.)
>>> The HTTP thingy is not really how admins should access the logs. They
>>> should just use journalctl.
>> On a related but tangental note: I notice that journalctl allows access to
>> members of the admin group by default.
> Well, I'd say this differently: we _restrict_ access to "adm", in
> contrast to the previous logic where everybody was allowed to read
> /var/log/messages and only root /var/log/secure.
>
When was previous - that access to /var/log/messages was allowed?
$ cat /etc/redhat-release
Fedora release 14 (Laughlin)
sclark66:~/Download
$ less /var/log/messages
/var/log/messages: Permission denied

>> In Fedora for the past few releases
>> we've followed the tradition of making "wheel" the admin group -- see
>> http://docs.fedoraproject.org/en-US/Fedora/17/html/Installation_Guide/sn-firstboot-systemuser.html?
>> This is also the case in RHEL 6, so changes here have downstream
>> implications.
> The way I see this is that "wheel" allows you to *do* privileged things,
> but "adm" allows you to *see* privileged things.
>
> Note that "adm" has been widely used for the log purpose on other Linux
> distros, most notably Debian and its descendents. On Debian
> /var/log/messages defaulted to being private to "adm", and we kinda
> wanted to unify things here and though the Debian default is much nicer
> than the Fedora default of world-readability of logs, from a security
> PoV.
>
>> Could we make that a default on Fedora in addition to adm? (I assume this is
>> polkit but can't see it offhand -- hmmm... looks to be hard-coded in the
>> source?) I don't really have a strong opinion about whether adm should work
>> or not, but wheel should.
> Well, we could of course add this as ACL, but I wonder if it wouldn't be
> nicer to declare that "adm" is for seeing, and "wheel" for doing as I
> suggested above.
>
>> Second, there's a traditional separation between /var/log/secure and
>> /var/log/messages. Crucially, the "secure" log may contain
>> accidentally-typed user passwords and other privacy-sensitive information.
>> How can we do something similar with the systemd journal and
>> journalctl?
> As mentioned no system messages are user-readable by default in the
> journal. We are more secure by default with the journal.
>
>> Ideally, the /var/log/messages data would be available to members of the
>> admin group without extra authentication, but seeing the potentially-privacy
>> sensitive /var/log/secure should require re-authentication. (As a sysadmin,
>> I should be able to safely look at message data with a user looking over my
>> shoulder, so I can help them without possibly exposing private information
>> about other users on the system.)
> Well, honestly the old secure vs. messages split is kinda broken, simply
> because old syslog didn't check the originator of messages and hence
> unprivileged processes could get have their data spill into the presumed
> "secure" logs. Splitting this of based on the "facility" field is fake
> securety, and we don't do "fake security" anymore with the journal.
>
> Lennart
>


-- 
Stephen Clark
*NetWolves*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark at netwolves.com
http://www.netwolves.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20121009/5d7742a6/attachment.html>


More information about the devel mailing list