Marcos Felipe Rasia de Mello schrieb:
2015-02-20 11:53 GMT-02:00 Ludwig Nussel <ludwig.nussel@suse.de>:
Marcos Felipe Rasia de Mello schrieb:
[...] /var/log/squid: total 176 drwxr-x--- 2 squid squid 4096 Feb 19 17:15 . drwxr-xr-x 7 root root 4096 Feb 20 07:33 .. -rw-r----- 1 squid squid 0 Feb 20 07:33 access.log -rw-r----- 1 squid squid 416 Feb 20 07:32 access.log-20150220.xz -rw-r----- 1 squid squid 163672 Feb 20 07:34 cache.log -rw-r----- 1 squid squid 1580 Feb 20 07:32 cache.log-20150220.xz
logrotate config fragment is using 'su squid squid' as an extra safety measure.
That is still just a hack though for software that really offers no other choice. In general it's better to not allow the daemon to write to the directory of it's log files. That avoids all kinds of trouble for anything that needs to operate on that directory (like logrotate or rpm but also the admin himself). It also has the benefit that the daemon user cannot corrupt or remove log files that have been rotated, ie can't cover the tracks.
Does current root group ownership bring any security?
No. As I tried to explain if you want to improve security it would be better to change the directory to root:root.
What do you think about the proposed changes?
Looks more or less cosmetic to me. I have no opinion on that :-) cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5; 90409 Nürnberg; Germany -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org