Bug#2837: Default syslogd.conf logs auth information where everyone can see it!

To: debian-bugs@pixar.com
Subject: Bug#2837: Default syslogd.conf logs auth information where everyone can see it!
From: Christian Hudon <chrish@libertel.montreal.qc.ca>
Date: Mon, 29 Apr 1996 00:45:24 -0400 (EDT)
Message-id: <[🔎] Pine.SUN.3.91.960429001957.27356B-100000@thym.remm.uqam.ca>
Reply-to: Christian Hudon <chrish@libertel.montreal.qc.ca>, debian-bugs@pixar.com

Package: syslogd
Version: 1.3-2

In default the /etc/syslogd.conf file, auth information is directed to
the /var/log/auth.log file and the /dev/xconsole named pipe. But whereas
the auth.log file's permissions are set at 540, xconsole is world-readable.

Doesn't that defeat the whole point of having auth.log access restricted?
It's especially bad for cases when a user types his password at the
"login:" prompt by mistake.

And anyway, logging everything to xconsole is overkill, IMHO. It makes the
xconsole notify mechanism useless since it now triggers for mundane stuff
(eg. named statistics) as well as the important (system broadcasts, talk
requests, etc.) Couldn't the /dev/xconsole entry be pared down so that only
the more important stuff (panics, broadcasts, etc.) shows up on
xconsole (and exclude auth from that!).

  Christian

Reply to:

Prev by Date: Bug#2836: Syslogd creates syslog.pid when syslogd.pid is expected.
Next by Date: Bug#2838: bind postinst doesn't handle # comments in resolv.conf well...
Previous by thread: Bug#2836: Syslogd creates syslog.pid when syslogd.pid is expected.
Next by thread: Bug#2838: bind postinst doesn't handle # comments in resolv.conf well...
Index(es):
- Date
- Thread