Mailinglist Archive: opensuse-security (12 mails)

< Previous Next >
Re: [opensuse-security] Change /var/{cache,log}/squid ownership to squid:squid
  • From: Marcos Felipe Rasia de Mello <marcosfrm@xxxxxxxxx>
  • Date: Mon, 23 Feb 2015 08:23:18 -0300
  • Message-id: <CAJZVDJATNfS2=WbuyPkeDxVc5zKy_ABWCX7iv5w2uTa+Rwb2jw@mail.gmail.com>
2015-02-23 6:52 GMT-03:00 Ludwig Nussel <ludwig.nussel@xxxxxxx>:
Marcos Felipe Rasia de Mello schrieb:

2015-02-20 11:53 GMT-02:00 Ludwig Nussel <ludwig.nussel@xxxxxxx>:

Marcos Felipe Rasia de Mello schrieb:


[...]
/var/log/squid:
total 176
drwxr-x--- 2 squid squid 4096 Feb 19 17:15 .
drwxr-xr-x 7 root root 4096 Feb 20 07:33 ..
-rw-r----- 1 squid squid 0 Feb 20 07:33 access.log
-rw-r----- 1 squid squid 416 Feb 20 07:32 access.log-20150220.xz
-rw-r----- 1 squid squid 163672 Feb 20 07:34 cache.log
-rw-r----- 1 squid squid 1580 Feb 20 07:32 cache.log-20150220.xz

logrotate config fragment is using 'su squid squid' as an extra safety
measure.



That is still just a hack though for software that really offers no
other choice. In general it's better to not allow the daemon to write to
the directory of it's log files. That avoids all kinds of trouble for
anything that needs to operate on that directory (like logrotate or rpm
but also the admin himself). It also has the benefit that the daemon
user cannot corrupt or remove log files that have been rotated, ie can't
cover the tracks.


Does current root group ownership bring any security?


No. As I tried to explain if you want to improve security it
would be better to change the directory to root:root.

What do you think about the proposed changes?


Looks more or less cosmetic to me. I have no opinion on that :-)



Marcus Meissner said on the bug report in question that security team
would need to approve it. I call it a cleanup. ;-)
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >