2015-02-20 11:53 GMT-02:00 Ludwig Nussel
Marcos Felipe Rasia de Mello schrieb:
[...] /var/log/squid: total 176 drwxr-x--- 2 squid squid 4096 Feb 19 17:15 . drwxr-xr-x 7 root root 4096 Feb 20 07:33 .. -rw-r----- 1 squid squid 0 Feb 20 07:33 access.log -rw-r----- 1 squid squid 416 Feb 20 07:32 access.log-20150220.xz -rw-r----- 1 squid squid 163672 Feb 20 07:34 cache.log -rw-r----- 1 squid squid 1580 Feb 20 07:32 cache.log-20150220.xz
logrotate config fragment is using 'su squid squid' as an extra safety measure.
That is still just a hack though for software that really offers no other choice. In general it's better to not allow the daemon to write to the directory of it's log files. That avoids all kinds of trouble for anything that needs to operate on that directory (like logrotate or rpm but also the admin himself). It also has the benefit that the daemon user cannot corrupt or remove log files that have been rotated, ie can't cover the tracks.
Does current root group ownership bring any security? What do you think about the proposed changes? -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org