[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#311772: Fwd: Password leaks are security holes

On Thu, Aug 28, 2008 at 02:37:37PM -0700, Steve Langasek wrote:
On Thu, Aug 28, 2008 at 09:36:41AM +0200, Giacomo A. Catenazzi wrote:
auth.log was invented for this reason, and separated to standard log:
it should be readable only by root,

Then there is a bug in another package if this is what "should" be, because
/var/log/auth.log is readable by group adm on all my systems.

By default, nobody is in adm. Once upon a time (and still, on some systems) people made syslog world readable so people could diagnose their own problems. auth.log lets you keep syslog world readable without disclosing potentially sensitive authentication information.

(It's true that the passwords are not in /etc/shadow for systems using
pam_unix together with NIS or NIS+, but I consider both NIS and NIS+ rather
uninteresting cases.)

I'd say they're interesting, but increasingly uncommon.

I can see a point in logging *valid* usernames.  Logging invalid
usernames (which aren't unlikely to actually be passwords) is a
security risk.

It provides information about username brute force attacks and other issues
of concern to admins.

Note that the pam_unix behavior is a bug, because it only logs some names of non-users; presumably it should log all or none. Whether this is a security bug is debatable (I think not).

Mike Stone

Reply to: