[Fedora-packaging] Have secure by default permissions for configuration and log files

Kurt Seifried kseifried at redhat.com
Thu Jun 18 17:26:17 UTC 2015


https://fedorahosted.org/fpc/ticket/543

Have secure by default permissions for configuration and log files
[edit] Proposed change

All configuration files (e.g. files in /etc/) and all log files (e.g.
files in /var/log/) must not be set world-readable unless there is a
functional reason to do so. By default, configuration files should be
chmod 600 or 0640 and log files should be chmod 0600. This is due to a
continuing number of security issues with world readable files that
contain sensitive information (e.g. passwords and access tokens or
logged usernames and commands for example).

Some examples:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=configuration+file+permissions

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=log+file+permissions

https://fedoraproject.org/wiki/Kurtseifried/secure_config_and_log_permissions

Thanks!

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert at redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/packaging/attachments/20150618/8a2e6657/attachment.sig>


More information about the packaging mailing list