Mailinglist Archive: opensuse-security (12 mails)

< Previous Next >
Re: [opensuse-security] Change /var/{cache,log}/squid ownership to squid:squid
2015-02-20 11:53 GMT-02:00 Ludwig Nussel <ludwig.nussel@xxxxxxx>:
Marcos Felipe Rasia de Mello schrieb:

[...]
/var/log/squid:
total 176
drwxr-x--- 2 squid squid 4096 Feb 19 17:15 .
drwxr-xr-x 7 root root 4096 Feb 20 07:33 ..
-rw-r----- 1 squid squid 0 Feb 20 07:33 access.log
-rw-r----- 1 squid squid 416 Feb 20 07:32 access.log-20150220.xz
-rw-r----- 1 squid squid 163672 Feb 20 07:34 cache.log
-rw-r----- 1 squid squid 1580 Feb 20 07:32 cache.log-20150220.xz

logrotate config fragment is using 'su squid squid' as an extra safety
measure.


That is still just a hack though for software that really offers no
other choice. In general it's better to not allow the daemon to write to
the directory of it's log files. That avoids all kinds of trouble for
anything that needs to operate on that directory (like logrotate or rpm
but also the admin himself). It also has the benefit that the daemon
user cannot corrupt or remove log files that have been rotated, ie can't
cover the tracks.


Does current root group ownership bring any security? What do you
think about the proposed changes?
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups