also sprach Martin Schulze <joey@infodrom.org> [2004.12.14.1955 +0100]: > > be a commonly accepted guideline, proggies like aptitude, > > scrollkeeper, X, xdm, fontconfig, and many others basically just > > dump their files world-readable into there. > > What's so private in these log files that they should not world > readable? Let me ask you the complementary question: what's so public in these log files that they should be world readable? I understand your question, and it's a very good one, and I wonder if this is a fundamental question about Debian. It reminds me of the decision to make /bin/su 4754:root:wheel instead of 4750:root:wheel. If you ask me, 4754 is a sane choice with a very pragmatic reason. Log files, however, are different, and claiming that they are non-private and thus world-readable is somewhat arbitrary to me. It makes no sense to chmod 4750 /bin/su or 0711 /sbin or anything of that sort, because that would be obscurity as any other Debian system could deliver the information. However, log files are specific to each system and no two log files will ever be the same. Whether the information therein is inherently public or private is not really the issue. I think the issue is rather whether Debian generally approaches security from a conservative or liberal position. Conservative maps to denying everything that isn't explicitly allowed, and liberal allows everything unless explicitly denied. Look no further than the security team... your policy (on critical bugs) is to hide information unless you have reason to make them public. Why should other parts of Debian do it the other way around? I claim the set of potential dangers, attacks, problems, and watchouts to be infinite. Thus, it's a Sysiphus job to attempt to protect the things known to be sensitive. Instead, unprotect those that are known to be save! This is standard security and safety procedure, this is what any sensible security person these days will advocate for a generic purpose. Information is the primary asset of a hacker (next to skill). Between X and fontconfig and other logs, a hacker (or malicious (or not)) user can map out behaviour patterns of users without being noticed (which may or may not be the case when using ps(1) or /proc). These can seriously augment social engineering attacks. Security cannot be perfect, but giving full access to information is outright careless. I really do not want to reopen cans of worms here, nor do I want to start a heated discussion. I screwed up in that I did not research before posting the first message of this thread. Santiago corrected me by mentioning a consensus that had been reached. I cannot find this consensus. Could someone please shove it in my face? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Attachment:
signature.asc
Description: Digital signature