Re: Bug#2837: Default syslogd.conf logs auth information where everyone can see it
On Sun, 12 May 1996, Martin Schulze wrote:
> Christian Hudon wrote:
>
> | In default the /etc/syslogd.conf file, auth information is directed to
> | the /var/log/auth.log file and the /dev/xconsole named pipe. But whereas
> | the auth.log file's permissions are set at 540, xconsole is world-readable.
>
> How does auth.log get such strange permissions? My auth.logs are of mode
> 640, which is correct, root can write, adm can read, nobody else.
I guess the 540 was a typo on my part. What I meant is... we both agree
that 640 is the right permission for auth log information. Then auth
shouldn't be sent to xconsole, cuz xconsole info can be read by everyone.
An easy way out is *not* to send auth info to /dev/xconsole. (i.e. Remove
auth.* from the |/dev/xconsole line.)
> Referring to xconsole, which permission would you suggest? I have now
> changed it to the same as auth.log. Beat me if this is wrong.
Err.. 644 should be fine... As long as stuff like auth.* isn't sent to it.
If it's made 640, people won't be able to start up xconsole in their
.xsession (like I do :-). And after removing auth.* from the
|/dev/xconsole line, all the stuff sent to /dev/xconsole is also available
under /var/log with permission 644... So setting /dev/xconsole to 640 isn't
gonna make anything safer.
Christian
Reply to: