Re: Bug#311772: Fwd: Password leaks are security holes

[Mark van Walraven <markv@netvalue.net.nz>]

On Thu, Aug 28, 2008 at 02:37:37PM -0700, Steve Langasek wrote:
> On Thu, Aug 28, 2008 at 09:36:41AM +0200, Giacomo A. Catenazzi wrote:
> > auth.log was invented for this reason, and separated to standard log:
> > it should be readable only by root,
> 
> Then there is a bug in another package if this is what "should" be, because
> /var/log/auth.log is readable by group adm on all my systems.

I see the same (and a sarge box I checked also has that).  I'm surprised
enough by it that I think it must have changed at some point in the past.

I don't think 'readable by group adm' is a reasonable default for 
/var/log/auth.log.  It makes the adm group much less useful.

Regards,

Mark.