Bug#314956: Excess permission or bad ownership on file /var/log/btmp
tags 314956 pending
thanks
On Sun, Jun 19, 2005 at 09:53:31AM -0700, dean gaudet wrote:
> openssh 4.x now tries to append to /var/log/btmp (on bad passwords for
> example), but it's excessively anal about the permissions on that file. it
> doesn't permit group or other to have any of read/write/execute.
>
> the default debian setup is this:
>
> -rw-rw-r-- 1 root utmp 3840 Jun 18 14:40 /var/log/btmp
>
> and there are legit reasons for group utmp writability... such as:
>
> -rwxr-sr-x 1 root utmp 306616 Nov 14 2004 /usr/bin/screen
>
> i really don't know what to recommend as the right fix for this... you
> could disable USE_BTMP entirely, which was the pre-4.0 behaviour anyhow.
> or modify it to permit the debian perms...
I could persuade myself to cope with the latter option if it were just
group utmp readability/writability, but the world-readability is
completely contrary to the comment in openssh/loginrec.c:
* The most common login failure is to give password instead of username.
* So the _PATH_BTMP file checked for the correct permission, so that
* only root can read it.
I've disabled USE_BTMP in CVS.
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply to: