Re: correct perms for logcheck config files?
On Sun, Aug 10, 2003 at 11:52:39PM -0400, Joey Hess wrote:
> Matt Zimmerman wrote:
> > I think it is not helpful to restrict read permission on these files.
> > Module local modifications, anyone can get a copy from the Debian archive,
> > so their contents are not secret. The same justification applies as for not
> > restricting permissions on setuid executables, as documented in the policy
> > manual.
>
> But this is different from suid executables or game data files because
> these are conffiles that the admin is encouraged to edit when needed.
Indeed...I meant to write "Modulo local modifications" (not "Module", which
makes no sense). If the admin makes changes which could leak sensitive
information to an attacker, then he can also change the permissions on the
file. I do not think that they should have such restrictive permissions _by
default_ because this it causes significant inconvenience without providing
any additional security.
> The scenario I thought up is as follows: The admin wants to make a local
> modification to one or more files. Say he is adding some rules to
> ignore, so this has some security implications if an attacker can work
> out what change he made. An attacker might try to look at the files, and
> see if a message will be ignored. So he could make them 600. A very
> determined attacker could cross-reference the installed version of a
> package with a database of file sizes and figure out if a file has had
> rules added to it, but this is not likely to be too useful. If he was
> very paranoid though, he could make the whole directory 700 and avoid
> this.
Of course, I would argue that any modifications to the file which would leak
sensitive information to an attacker would be bad rules to add to logcheck
in the first place (if a rule can be utilized by an attacker to cover his
tracks, it should not be ignored).
> The tradoff with making the directory 700 by default is that it makes
> life harder for the admin when he's not root. Pretty minor but so is the
> advantage to 700 of the time. For mode 600 files the disadvantage is
> that the admin can more easily leak evidence by default (backup files,
> bad umask, bad editor, whatever), and that it's still not 100%
> approachable as a regular user.
The most inconvenient bit, to me, is that it breaks path completion when
editing these files with sudo.
sudo vi /etc/logcheck/ignore.d/<tab>...<tab>...<swear>
> > I think the files should be 644, directories 755 (currently the directories
> > are unreadable as well, which is quite inconvenient).
>
> IIRC the directories are only unreadable on older installs, or perhaps
> on installs that had a certian package installed first. It's fairly
> random.
Presumably the usual dpkg directory permissions semantics. I forget who
wins; the most recent maybe? At any rate, they're all unreadable on the
systems that I checked.
--
- mdz
Reply to: