[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New user for logcheck

>>>>> "Michael" == Michael Stone <mstone@debian.org> writes:

    Michael> On Sat, Nov 20, 1999 at 04:09:28PM +0000, Rene Mayrhofer wrote:

    >> Logcheck is a new package in potato and it's purpose is to
    >> check the system log files for unusal parts. It is a shell
    >> script that is run from cron.

    >> I got a suggestion for the logcheck package that I like. The
    >> suggestion was that logcheck should run as an own uid with the
    >> gid 'adm' (so that it can read the system log files). That
    >> would mean that a new uid is needed (or does it make sense to
    >> use an existing one - I don't think so).

    >> Would that be a problem ?

    Michael> What does the new userid buy us? Does the script accept
    Michael> user input? Does it create files? What about running it
    Michael> as nobody?

What about the "Re: Logs and Permissions for Daemons" thread recently
on *this* mailing lists, where people made comments like:

(sorry for quoting these points again, but I am concerned that some
people may have missed them - and this topic seems to come up
regularly on this mailing list - perhaps we need a FAQ or something?
Does one exist?)

>>>>> "Herbert" == Herbert Xu <herbert@gondor.apana.org.au> writes:

    Herbert> There is a very good reason that those things created new
    Herbert> users, because they have to read/write files owned by
    Herbert> those users.

    Herbert> The advantage of this is that when one of the users is
    Herbert> compromised (say identd), it will not affect the other
    Herbert> daemons.

    Herbert> As to the fact that we only have a limited number of
    Herbert> users, I agree it's a problem.  Perhaps we should address
    Herbert> it by allocating new chunks in the uid space for system
    Herbert> users.

    Herbert> I do use the nobody user when the daemon in question does
    Herbert> not have to access files on the file system that is
    Herbert> restricted in some way, e.g., rwalld.

>>>>> "Bernd" == Bernd Eckenfels <lists@lina.inka.de> writes:

    Bernd> This is not safe, since one run-away daemon can modify
    Bernd> different daemons logs or contrl the process with
    Bernd> signals. Therefore daemon user is considered as harmfull as
    Bernd> nobody user.

>>>>> "Wichert" == Wichert Akkerman <wichert@cistron.nl> writes:

    Wichert> I disagree here. From a security perspective it's really
    Wichert> good if every daemon gets its own user. That way if one
    Wichert> daemon is compromised the attacker cannot mess around
    Wichert> with others. And there are lots of interesting ways to
    Wichert> mess with other daemons.. (ptrace and see passwords?
    Wichert> insert your own code? stop it and go for the simple
    Wichert> DoS-attack? etc.  etc.)

    Wichert> Those daemons should probably get an entry in the static
    Wichert> 60000-64999 range.

Brian May <bam@debian.org>

Reply to: