Re: Tiger complaints on /home group

To: Dale Amon <amon@vnl.com>
Cc: debian-security@lists.debian.org
Subject: Re: Tiger complaints on /home group
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Tue, 13 Aug 2002 11:30:25 +0200
Message-id: <[🔎] 20020813093025.GA13609@dat.etsit.upm.es>
In-reply-to: <[🔎] 20020809194538.GL24602@vnl.com>
References: <[🔎] 20020809194538.GL24602@vnl.com>

On Fri, Aug 09, 2002 at 08:45:39PM +0100, Dale Amon wrote:
> Since the author seems to hang out here (actually I think he's
> the one who long ago suggested I should join this list) I
> thought this might be a good place to ask.

	:)
> 
> I'm getting lots of complaints from tiger about:
> 
> OLD: --WARN-- [acc023w] Login ID XXXXXX's parent directory (/home) has group `staff' write access.
> 
> One for every user on every machine. Why is Tiger complaining? This
> is the normal set up for Debian, or at least has been for years.

	I am not 100% sure of the motivations behind this standard Debian setup, but
it's really an issue that depends on your policy. Do you want the staff group to
create user's home dirs (and probably remove them too)? Then go ahead an ignore
this warning (it should be only given once)

> 
> I might also note lots of messages in which Tiger seems to mistake 
> the size field for the group field:
> 
> OLD: --FAIL-- [acc006w] Login ID nobody's home directory (/tmp) has group `16384' and world write access.

	Yes, you've found Bug #155588 (closed now)
> 
> Tiger would be far more useful if we cleared up some of these
> false positives by either:
> 
> 	A) Change Debian to do things in a secure way
> 	B) Change Tiger to not complain about things that 
> 	   everyone thinks are not problems.
> 
	I cannot agree with you fully here, what one admin thinks
is a false positive another admin thinks might be a security issue
as compared to his own security policy.
	I'm reluctant to change Tiger to not check stuff that is
Debian's default. I prefer to have the "compare against template"
to avoid false positives. The standard behavior of Tiger makes sure
that you only get security-related issues by mail just once, not
continuously (unless you set templates that tell it otherwise).

	You should understand that "WARN" is just that, a 
warning (might or might not be an issue),
and "FAIL" is a security problem (it certainly is an issue).

	In any case feel free to submit any bugs to tiger to
issues you feel are not good enough.

	Javi

Reply to:

References:
- Tiger complaints on /home group
  - From: Dale Amon <amon@vnl.com>

Prev by Date: RE: IPSec VPN
Next by Date: Re: IPSec VPN
Previous by thread: Tiger complaints on /home group
Next by thread: BIND 9 bug
Index(es):
- Date
- Thread