Re: Bug#311772: Fwd: Password leaks are security holes
On Thu, Aug 28, 2008 at 02:37:37PM -0700, Steve Langasek wrote:
> On Thu, Aug 28, 2008 at 09:36:41AM +0200, Giacomo A. Catenazzi wrote:
> > auth.log was invented for this reason, and separated to standard log:
> > it should be readable only by root,
> Then there is a bug in another package if this is what "should" be, because
> /var/log/auth.log is readable by group adm on all my systems.
I see the same (and a sarge box I checked also has that). I'm surprised
enough by it that I think it must have changed at some point in the past.
I don't think 'readable by group adm' is a reasonable default for
/var/log/auth.log. It makes the adm group much less useful.