From owner-freebsd-questions Thu Oct 10 5:37:19 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83DD837B401 for ; Thu, 10 Oct 2002 05:37:18 -0700 (PDT) Received: from smtp010.tiscali.dk (smtp010.tiscali.dk [212.54.64.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75BB043E8A for ; Thu, 10 Oct 2002 05:37:17 -0700 (PDT) (envelope-from db@traceroute.dk) Received: from rafter. (213.237.112.252.adsl.arsy.worldonline.dk [213.237.112.252]) by smtp010.tiscali.dk (8.12.5/8.12.5) with SMTP id g9ACbDbR029577; Thu, 10 Oct 2002 14:37:13 +0200 (MEST) From: Socketd Date: Thu, 10 Oct 2002 12:42:29 GMT Message-ID: <20021010.12422900.3222565378@rafter.> Subject: Re: Security questions To: Giorgos Keramidas , freebsd-questions@freebsd.org In-Reply-To: <20021010102838.GN21391@hades.hell.gr> References: <20021009.22451000.4017525480@rafter.> <20021010023701.GJ21391@hades.hell.gr> <20021010.10135300.3745751216@rafter.> <20021010102838.GN21391@hades.hell.gr> X-Mailer: Mozilla/3.0 (compatible; StarOffice/5.2;Linux) X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 10/10/02, 12:28:38 PM, Giorgos Keramidas =20 wrote regarding Re: Security questions: > > > Another reason is obvious if you look at the owner and permissions= of > > > the system log files: > > > > > giorgos@patata[05:33]/home/giorgos$ ls -ld /var/log/messages > > > -rw-r--r-- 1 root wheel 620908 Oct 10 05:33 /var/log/messages > > > > Yes, but they could be changed to user: syslog > No they couldn't. syslog is not a superuser, but a normal user. The > access controls imposed on users attempting to access the files owned > by a root user are a bit more strict than those that apply to the rest= > of the users, right now. I have to admit, it's not a bad idea to have= > log files owned by a syslog:syslog user, and selectively allow read, > write or modification access through access lists. But that's > something we ought to reconsider when ACLs are widely available on > FreeBSD, imho. I am not the biggest fan of ACL's and I think we can solve this problem = with the tools we have now. We have /var and different daemons and the=20 kernel have to write messages to different files in that "dir". The=20 interface to /var/ should be syslogd, meaning that all files in that=20 "dir" should be owned by syslog. I can't see the need for ACL to make=20 syslogd a non-root daemon. Br socketd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message