Date: Mon, 27 Jul 1998 08:37:15 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: "Jan B. Koum " <jkb@best.com> Cc: security@FreeBSD.ORG Subject: Re: files in /var/log Message-ID: <Pine.BSF.3.96.980727083240.7733D-100000@fledge.watson.org> In-Reply-To: <Pine.BSF.3.96.980727025241.7514A-100000@shell6.ba.best.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jan, On my own machines I have added a "logger" group and set permissions in this manner: /var/cron/log root.loguser 640 3 100 * Z /var/log/amd.log root.loguser 644 7 100 * Z /var/log/kerberos.log root.loguser 640 7 100 * Z /var/log/lpd-errs root.loguser 644 7 100 * Z /var/log/maillog root.loguser 644 7 * 24 Z /var/log/messages root.loguser 644 5 * 168 Z /var/log/slip.log root.loguser 640 3 100 * Z /var/log/ppp.log root.loguser 640 3 100 * Z /var/log/wtmp root.loguser 644 52 * 168 ZB /var/log/auth root.loguser 640 14 * 168 Z # my stuff /var/log/ftpd.log root.loguser 640 3 * 168 Z /var/log/pop.log root.loguser 640 3 * 72 Z /var/log/kadmind.syslog root.loguser 640 14 * 168 Z /var/log/imapd.log root.loguser 640 3 * 72 Z /var/log/all-log root.loguser 640 7 * 72 Z A number of daemons and other programs tend to leak sensitive information (such as bad login information) to publically readable logs -- and I did not want to give users root access to get to these files where it was actually unnecessary. For more general use, root.wheel would probably be sufficient. I also changed some of the syslog logging rules to prevent auth-style log entries from going to the wrong places. I suspect that there are some daemons/etc out there that are delivering some of the auth-style log messages with the wrong level on the log message (i.e., notice or something) and as a result, they are not getting caught be this. However, I have not looked closely. I don't know if the standard FreeBSD ssh port/package changes the log level from DAEMON to AUTH or not, but I certainly had to do that on my own build of sshd (see /etc/sshd_config). On Mon, 27 Jul 1998, Jan B. Koum wrote: > > Hello all, > > Be default FreeBSD has many files in /var/log group write. What is > the reason for that? Can we change this to be group read only? > Also, would it make more sence to ship /var/log/messages o-r by > default? Why do we want all world to know what goes into our > /var/log/messages files? > [we would also need to modify /etc/newsyslog.conf's mode column > to 640 then] > > -- Yan > > Jan Koum jkb@best.com | "Turn up the lights; I don't want > www.FreeBSD.org -- The Power to Serve | to go home in the dark." > "Write longer sentences - they are paying us a lot of money" > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980727083240.7733D-100000>