why do the log files have permisssions set to 644 and not 600 ? -- engelbert gruber email: engelbert.gruber@ssg.co.at
why do the log files have permisssions set to 644 and not 600 ?
It shouldn't generally be considered a problem since it doesn't contain secrets to the users. It may be advisable to keep it a little more conservative, though. Change it in /etc/permssions and run chkstat -set /etc/permissions . There's more than one /etc/permissions - use the one that's mentioned in /etc/rc.config. Note that /var/log/wtmp and /var/run/utmp need at least ug=rw (660). Roman. -- _ _ | Roman Drahtmüller "The best way to pay for a | CC University of Freiburg lovely moment is to enjoy it." | email: draht@uni-freiburg.de - Richard Bach | - -
Am Mit, 28 Jun 2000 schrieb Roman Drahtmueller:
why do the log files have permisssions set to 644 and not 600 ?
It shouldn't generally be considered a problem since it doesn't contain secrets to the users. It may be advisable to keep it a little more conservative, though.
Change it in /etc/permssions and run chkstat -set /etc/permissions .
There's more than one /etc/permissions - use the one that's mentioned in /etc/rc.config. maybe use /etc/permissions.local and have a look into /etc/logfiles as the rotater also sets attributes !
Note that /var/log/wtmp and /var/run/utmp need at least ug=rw (660).
thats what i wanted to know -- engelbert gruber email: engelbert.gruber@ssg.co.at
On Wed, 28 Jun 2000, Roman Drahtmueller wrote:
why do the log files have permisssions set to 644 and not 600 ?
It shouldn't generally be considered a problem since it doesn't contain secrets to the users. It may be advisable to keep it a little more conservative, though.
I don't agree. There may be a lot of information in log files that should not be accessible to everybody. Think of mail log entries - you may read who has send a message of which size when to whom. To protect this is a question of privacy. Or on older systems I frequently found entries of the type invalid password for `mypassword' on `tty1' when users were hastily login in and were out of phase with the login and password prompts. On many systems it's not too hard to check all available accounts for 'mypassword' (and it's all too bad if it's the root password that was logged). I could not reproduce the latter effect with my recent configuration (/bin/login from shadow-980724-36 in SuSE 6.1). If the typed username at the login prompt is not valid it logs invalid password for `UNKNOWN' on `tty1' Has the behaviour of /bin/login changed - can anybody confirm this? Cheers Thomas |--------------------------------------------------------------------------| | Thomas Forbriger email: Thomas.Forbriger@geophys.uni-stuttgart.de | | Universitaet Stuttgart - Institut fuer Geophysik | | Richard-Wagner-Str. 44 D-70184 Stuttgart Germany | | Tel ++49 (711) 121-3593 or 3422 or 3424 or 3590 | Fax ++49 (711) 2361218 | | http://www.geophys.uni-stuttgart.de/thof | | "... there's nothing more bizarre than reality..." (M. Kindermann) |
Hi ! On Wed, 28 Jun 2000, Thomas Forbriger wrote:
On Wed, 28 Jun 2000, Roman Drahtmueller wrote:
[ logfile permissions ]
I don't agree. There may be a lot of information in log files that should not be accessible to everybody. Think of mail log entries - you may read who has send a message of which size when to whom. To protect this is a question of privacy. Or on older systems I frequently found entries of the type
invalid password for `mypassword' on `tty1'
when users were hastily login in and were out of phase with the login and password prompts. On many systems it's not too hard to check all available accounts for 'mypassword' (and it's all too bad if it's the root password that was logged).
I could not reproduce the latter effect with my recent configuration (/bin/login from shadow-980724-36 in SuSE 6.1). If the typed username at the login prompt is not valid it logs
invalid password for `UNKNOWN' on `tty1'
Has the behaviour of /bin/login changed - can anybody confirm this?
From /etc/login.defs: [...snip...] # Enable display of unknown usernames when login failures are recorded. # LOG_UNKFAIL_ENAB no [...snip...]
This prevents the logging of passwords if they are typed in by mistake as the username. The word "UNKNOWN" will be used in that case. mfg andy -- Informationen zum oesterreichischen Usenet http://www.usenet.at/ Verein fuer Internet-BEnutzer Oesterreichs (.AT) http://www.vibe.at/ I am from Austria - but I did not vote for Joerg Haider and the FPOE.
You wrote:
why do the log files have permisssions set to 644 and not 600 ?
I have set permisssions to 640 for most logfiles. Adding my account to appropriate groups I can read logfiles without beeing root. I do everything as user if possible. -- \ "What're quantum mechanics?" -- "I don't know. People who / \ repair quantums, I suppose." (Terry Pratchett, Eric) /
participants (5)
-
Andreas Kreuzinger -
engelbert gruber -
Juergen Dollinger -
Roman Drahtmueller -
Thomas Forbriger