[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#314956: Excess permission or bad ownership on file /var/log/btmp

tags 314956 pending
thanks

On Sun, Jun 19, 2005 at 09:53:31AM -0700, dean gaudet wrote:
> openssh 4.x now tries to append to /var/log/btmp (on bad passwords for 
> example), but it's excessively anal about the permissions on that file. it 
> doesn't permit group or other to have any of read/write/execute.
> 
> the default debian setup is this:
> 
> -rw-rw-r--  1 root utmp 3840 Jun 18 14:40 /var/log/btmp
> 
> and there are legit reasons for group utmp writability... such as:
> 
> -rwxr-sr-x  1 root utmp 306616 Nov 14  2004 /usr/bin/screen
> 
> i really don't know what to recommend as the right fix for this... you 
> could disable USE_BTMP entirely, which was the pre-4.0 behaviour anyhow. 
> or modify it to permit the debian perms...

I could persuade myself to cope with the latter option if it were just
group utmp readability/writability, but the world-readability is
completely contrary to the comment in openssh/loginrec.c:

   * The most common login failure is to give password instead of username.
   * So the _PATH_BTMP file checked for the correct permission, so that
   * only root can read it.

I've disabled USE_BTMP in CVS.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to: