[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[PROPOSAL] Permissions of /var/log.

reassign 35504 debian-policy
retitle 35504 [PROPOSAL] Permissions of /var/log.
severity 35504 wishlist

Some time ago I asked about permissions of /var/log, it's time to do
something about it.

On Tue, 25 Jan 2000, Wichert Akkerman wrote:

> Previously Santiago Vila wrote:
> > How do we want these files to be?
> > 
> > a) All of them should be root.root.
> > b) All of them should be root.adm.
> > c) This should not be covered by policy.
> I would say c) and let common sense decide. Generally the idea is:
> 1. logfiles which don't contain sensitive data should be readable
>    by everyone. Which group they have doesn't really matter.
> 2. logfiles which contain sensitive data should only readable by
>    root and admins, and thus be owned by root.adm and mode 640.

Ok, this means root.adm is a better default than root.root.

Therefore I make the following

Proposal: (to be inserted into an appropriate place in the policy docs)

The /var/log directory should have permissions 2775 (group-writable and
set-group-id) and be owned by root.adm.

Rationale: root.adm is a better default than root.root.

I am now looking for seconds for this proposal.


Reply to: