Permissions on /var/log/ files
Rick Stevens
ricks at alldigital.com
Wed Jul 17 16:44:41 UTC 2013
On 07/17/2013 06:59 AM, Timothy Murphy issued this missive:
> I'm tired of saying "sudo less /var/log/maillog" or "messages".
> Is there any non-paranoiac reason for not making /var/log/ files
> readable say by wheel?
The consensus seems to be that it's OK to change the permissions and I
agree. Making the files world-readable should be possible except in some
extreme cases.
The reason the files are, by default, NOT world-readable is simply one
of security. Many programs (if using verbose logging) may expose
security-related items in plaintext in the log files (usernames,
passwords, GPG keys, etc.). Having the files readable by anyone allows
any lurker to find these things very easily. Many programs warn about
this issue in their man pages.
For example, using "wget http://username:password@somesite.com" or
"wget --user=user --password=password http://somesite.com" may log that
to a logger program (e.g. if you have bash logging enabled) and the
credentials are blatantly obvious in a "ps" listing.
That's just my opinion. But then again, I run a PCI-compliant shop.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks at alldigital.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- "The bogosity meter just pegged." -
----------------------------------------------------------------------
More information about the users
mailing list