Permissions on /var/log/ files
Rick Stevens
ricks at alldigital.com
Wed Jul 17 17:01:18 UTC 2013
On 07/17/2013 09:57 AM, Matthew Miller issued this missive:
> On Wed, Jul 17, 2013 at 09:44:41AM -0700, Rick Stevens wrote:
>> The reason the files are, by default, NOT world-readable is simply one
>> of security. Many programs (if using verbose logging) may expose
>> security-related items in plaintext in the log files (usernames,
>> passwords, GPG keys, etc.). Having the files readable by anyone allows
>> any lurker to find these things very easily. Many programs warn about
>> this issue in their man pages.
>
> Theeeeretically, such messages should use the authpriv facility and thus be
> put into /var/log/secure.
I concur, but many, MANY programs just log to syslogd and that's where
the gotchas come from. To obviate those issues, non-world-readable is
a rather simplistic but somewhat effective "fix".
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks at alldigital.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- If at first you don't succeed, quit. No sense being a damned fool! -
----------------------------------------------------------------------
More information about the users
mailing list