From owner-freebsd-security  Wed Nov 11 06:26:45 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA19408
          for freebsd-security-outgoing; Wed, 11 Nov 1998 06:26:45 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA19402
          for <freebsd-security@FreeBSD.ORG>; Wed, 11 Nov 1998 06:26:41 -0800 (PST)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA25145;
	Wed, 11 Nov 1998 09:26:00 -0500 (EST)
Date: Wed, 11 Nov 1998 09:25:59 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Keith Stevenson <k.stevenson@louisville.edu>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: chflags on log files question
In-Reply-To: <19981110084411.B13216@homer.louisville.edu>
Message-ID: <Pine.BSF.3.96.981111091520.25081A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 10 Nov 1998, Keith Stevenson wrote:

> I'm not sure that both flags are necessary.  It is my understanding that the
> uappnd flag makes the file append only for non-root users (root can still
> manipulate the file), while the sappnd flag stops even root from doing anything
> other than appends.

sappnd alone should be sufficient, assuming the directory hierarchy is
protected adequately.  Needless to say, newsyslog should be disabled if
you are taking this approach.  Or at least, run only at boot, etc.

> I'm running at securelevel=2 on several of my servers.  I've flagged several
> log files (lastlog, messages, wtmp) as schg.  With the exception of lastlog, 
> all of these files appear to be updated correctly.

lastlog is not maintained by syslog, rather, by login and friends.  From a
brief perusal of login.c, we note that:

        if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) {
                (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET);


In other words, this is not a sequential log file, but an array with one
entry per active user indicating when/where/etc they last logged in from.
BTW, this is a good reason to keep /var/log on a partition that supports
sparse files, and then to be very careful with the lastlog file (don't tar
it :) in the event that you actually use large uid's, as you risk filling
in all those empty blocks in between.  Fortunately, it looks like if the
file doesn't exist, it isn't created, meaning that you can just delete it
if you don't care about finger displaying the information, and login
displaying it at login.

I have not reviewed related code in rshd/sshd that bypass login.

  Robert N Watson 

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/
robert@fledge.watson.org              http://www.watson.org/~robert/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message