Re: world readable log files and /etc/ files
On Monday, 2002-04-29 at 02:40:57 +1000, Ian Cumming wrote:
> I was just cleaning up after rebuilding a machine, and I decided to take
> a look at the log file and /etc permissions.
Which release? Woody?
> I was quite alarmed. There seem to be many files with world readable
> permissions, which _shouldnt_.
> ie:
> /var/log/xfer.log
Probably depends on your flavour of ftp daemon. Mine is
-rw-r----- 1 root adm 335 Apr 24 15:46 /var/log/xferlog
> /var/log/samba/*
Here, /var/log/samba is:
drwxr-x--- 2 root adm 4096 Apr 28 07:48 /var/log/samba
The files *are*
-rw-r--r-- 1 root root 11144 Apr 28 14:49 log.nmbd
-rw-r--r-- 1 root root 1314 Apr 29 10:24 log.smbd
but this doesn't matter.
> /var/log/mailman/*
I don't have mailman, so I can't comment.
> and in /etc:
> /etc/proftpd.conf
I don't see anything that needs protection in my (default) proftpd.conf.
> /etc/netatalk/*
Don't have.
> /etc/smb/smb.conf
This one can have user names, so I guess it would be better off with
tighter access modes.
> /etc/apache-perl/cron.conf
I have no idea what this file is.
> What is the policy for log files? I understand that it doesnt do _that_
> much harm allowing others to read, but it does disclose more than I want
> to reveal.
Actually, having tighter access rights on logfiles may lead to the admin
handing out the root password to more people, resulting in lowered
security.
> And now every time I install a package, I'm paranoid about the
> permissions, so I have to go check them.
Be paranoid within reason. If you tighten security so much that you can
only work as root, you're easier to screw by trojans.
Lupe Christoph
--
| lupe@lupe-christoph.de | http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a |
| Bat-Leth contest on the holodeck. They will not concern us again. |
| http://public.logica.com/~stepneys/joke/klingon.htm |
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: