Re: logrotate: three questions
On 2004-02-15, Colin Watson penned:
> On Sun, Feb 15, 2004 at 12:20:26PM -0700, Monique Y. Herman wrote:
>> On 2004-02-15, Joey Hess penned:
>> > That would be a violation of debian policy, and is not the case on
>> > any of my systems.
>> >
>> > -rwxr-xr-x 1 root root 33K Oct 9 2002
>> > /usr/sbin/logrotate*
>>
>> Well, Bastille locked those permissions down for me.
>
> Oh, God, why on earth?
Well, this was in my /var/log/Bastille/last.config :
# Q: Would you like to set more restrictive permissions on the
# administration utilities? [N]
FilePermissions.generalperms_1_1="Y"
And this was in my action-log:
{Sun Dec 21 22:50:35 2003} Answer to question FilePermissions.generalperms_1_1
is "Y".
Followed by a whole slew of chmods, logrotate being among them.
>> The question is, was Bastille being overly paranoid, or can logrotate
>> be exploited when it's world-executable?
>
> No executable that isn't set-user-id or set-group-id can ever let you
> do anything you couldn't do yourself anyway. This is why Debian policy
> says that non-set-id executables shouldn't have restrictive
> permissions.
>
> I'd file a bug with the Bastille people.
>
Is this really a bug, or just a bad/pointless idea? I mean, it asked me
if I should lock these tools down, and I said yes. I can always loosen
up permissions on a case by case basis.
I should probably file a wishlist item, in any case, that the Bastille
interface enumerate the files it's going to chmod if you answer 'yes' to
this question.
--
monique
Reply to: