What are reasonable blockers for making journald the default logger in F19?

Simo Sorce simo at redhat.com
Thu Oct 18 00:35:33 UTC 2012


On Wed, 2012-10-17 at 18:20 -0400, Andrew Schultz wrote:
> Simo Sorce wrote:
> > All very nice, but the current situation is that this info *is* sent to
> > the log.
> > So I applaud if you want to go and fix applications, in the meanwhile we
> > cannot relax security around that log IMO.
> 
> The current situation (from where I'm sitting) is that the private info 
> is *not* sent to the log because the of the gdm chooser design.  So what 
> we have instead is that non-private info is being sent to a 
> super-private log and (as Lennart pointed out) that information is less 
> accessible to the admins that might be able to use it.

gdm is only one of the entry points.
The console still asks for a user name, it does not present a chooser.
And the console is the default prompt for a lot of use cases (VMs in
labs, etc...).

> If you are concerned about people not using the chooser or some other 
> vector to hit the issue with pam, then fixing pam is a ~1 line patch (if 
> people can be convinced that the info shouldn't be logged).  I can't 
> imagine too many other applications having this bad behavior (given that 
> I never see passwords in the logs anymore).  I don't know what we 
> accomplish by protecting AUTHPRIV as a facilitator of applications 
> logging things that shouldn't be logged.

You protect the innocent users.Before you can say it is a oneliner you
should perform an audit and check what logs with authpriv on fedora and
then see what is logged. It is not an easy task, there isn't just PAM
modules although those are prime targets.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



More information about the devel mailing list