On Thu, Aug 28, 2008 at 02:37:37PM -0700, Steve Langasek wrote:
On Thu, Aug 28, 2008 at 09:36:41AM +0200, Giacomo A. Catenazzi wrote:auth.log was invented for this reason, and separated to standard log: it should be readable only by root,Then there is a bug in another package if this is what "should" be, because /var/log/auth.log is readable by group adm on all my systems.
By default, nobody is in adm. Once upon a time (and still, on some systems) people made syslog world readable so people could diagnose their own problems. auth.log lets you keep syslog world readable without disclosing potentially sensitive authentication information.
(It's true that the passwords are not in /etc/shadow for systems using pam_unix together with NIS or NIS+, but I consider both NIS and NIS+ rather uninteresting cases.)
I'd say they're interesting, but increasingly uncommon.
I can see a point in logging *valid* usernames. Logging invalid usernames (which aren't unlikely to actually be passwords) is a security risk.It provides information about username brute force attacks and other issues of concern to admins.
Note that the pam_unix behavior is a bug, because it only logs some names of non-users; presumably it should log all or none. Whether this is a security bug is debatable (I think not).
Mike Stone