[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#35504: [PROPOSAL] Permissions of /var/log.

>>"Santiago" == Santiago Vila <sanvila@unex.es> writes:

 >> Previously Santiago Vila wrote:
 >> > How do we want these files to be?
 >> > 
 >> > a) All of them should be root.root.
 >> > b) All of them should be root.adm.
 >> > c) This should not be covered by policy.
 >> I would say c) and let common sense decide. Generally the idea is:
 >> 1. logfiles which don't contain sensitive data should be readable
 >> by everyone. Which group they have doesn't really matter.
 >> 2. logfiles which contain sensitive data should only readable by
 >> root and admins, and thus be owned by root.adm and mode 640.

 Santiago> Ok, this means root.adm is a better default than root.root.

        Actually, I think he said that this should not go into policy
 in the first place. What are your arguments for not letting the
 maintainer decide this on their own? 

 Santiago> The /var/log directory should have permissions 2775
 Santiago> (group-writable and set-group-id) and be owned by root.adm.

        Again, your justfication of the group writable clause? 

 Santiago> Rationale: root.adm is a better default than root.root.

        Better? This is not a rationale, this is an opinion, with
 nothing technical backing it up.

 Santiago> I am now looking for seconds for this proposal.

        Please put a little more effort into this; and please justify
 why things should go into policy. Not every idea belongs there, even
 if it a good one (and you have not shown why this is actually a good

 Success is the result of behavior that completely contradicts the
 usual expectations about the behavior of a successful person.  --
 Felix R. Paturi
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: