Date: Wed, 11 Nov 1998 09:25:59 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Keith Stevenson <k.stevenson@louisville.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: chflags on log files question Message-ID: <Pine.BSF.3.96.981111091520.25081A-100000@fledge.watson.org> In-Reply-To: <19981110084411.B13216@homer.louisville.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Nov 1998, Keith Stevenson wrote:
> I'm not sure that both flags are necessary. It is my understanding that the
> uappnd flag makes the file append only for non-root users (root can still
> manipulate the file), while the sappnd flag stops even root from doing anything
> other than appends.
sappnd alone should be sufficient, assuming the directory hierarchy is
protected adequately. Needless to say, newsyslog should be disabled if
you are taking this approach. Or at least, run only at boot, etc.
> I'm running at securelevel=2 on several of my servers. I've flagged several
> log files (lastlog, messages, wtmp) as schg. With the exception of lastlog,
> all of these files appear to be updated correctly.
lastlog is not maintained by syslog, rather, by login and friends. From a
brief perusal of login.c, we note that:
if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) {
(void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET);
In other words, this is not a sequential log file, but an array with one
entry per active user indicating when/where/etc they last logged in from.
BTW, this is a good reason to keep /var/log on a partition that supports
sparse files, and then to be very careful with the lastlog file (don't tar
it :) in the event that you actually use large uid's, as you risk filling
in all those empty blocks in between. Fortunately, it looks like if the
file doesn't exist, it isn't created, meaning that you can just delete it
if you don't care about finger displaying the information, and login
displaying it at login.
I have not reviewed related code in rshd/sshd that bypass login.
Robert N Watson
Carnegie Mellon University http://www.cmu.edu/
TIS Labs at Network Associates, Inc. http://www.tis.com/
SafePort Network Services http://www.safeport.com/
robert@fledge.watson.org http://www.watson.org/~robert/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981111091520.25081A-100000>