Date: Sun, 28 Jul 2019 17:21:33 +0200 From: Jilles Tjoelker <jilles@stack.nl> To: Ian Lepore <ian@FreeBSD.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r349974 - head/libexec/rc/rc.d Message-ID: <20190728152133.GA3481@stack.nl> In-Reply-To: <201907131607.x6DG7cTR067202@repo.freebsd.org> References: <201907131607.x6DG7cTR067202@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jul 13, 2019 at 04:07:38PM +0000, Ian Lepore wrote: > Author: ian > Date: Sat Jul 13 16:07:38 2019 > New Revision: 349974 > URL: https://svnweb.freebsd.org/changeset/base/349974 > Log: > Limit access to system accounting files. > In 2013 the security chapter of the Handbook was updated in r42501 to > suggest limiting access to the system accounting file [*1] by creating the > initial file with a mode of 0600. This was in part based on a discussion in > the forums [*2]. Unfortunately, this advice is overridden by the fact that a > new file is created as part of periodic daily processing, and the file mode > is set by the rc.d/accounting script. > These changes update the accounting script to create the directory with mode > 0750 if it doesn't already exist, and to create the daily file with mode > 0640. This limits write access to root only, read access to root and members > of wheel, and eliminates world access completely. For admins who want to > prevent even members of wheel from accessing the files, the mode of the > /var/account directory can be manually changed to 0700, because the script > never creates or changes that directory if it already exists. I like it. However, the /var/account directory is normally created by mtree: etc/mtree/BSD.var.dist. Perhaps the permissions should be adjusted there as well. -- Jilles Tjoelker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190728152133.GA3481>