From owner-freebsd-bugs@FreeBSD.ORG  Thu Jul 25 19:40:02 2013
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 3C1AD969
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Thu, 25 Jul 2013 19:40:02 +0000 (UTC)
 (envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 19C822C0A
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Thu, 25 Jul 2013 19:40:02 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r6PJe1YA005828
 for <freebsd-bugs@freefall.freebsd.org>; Thu, 25 Jul 2013 19:40:01 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r6PJe1iZ005827;
 Thu, 25 Jul 2013 19:40:01 GMT (envelope-from gnats)
Resent-Date: Thu, 25 Jul 2013 19:40:01 GMT
Resent-Message-Id: <201307251940.r6PJe1iZ005827@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, ShelLuser <pl@catslair.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 6C60B510
 for <freebsd-gnats-submit@FreeBSD.org>; Thu, 25 Jul 2013 19:30:43 +0000 (UTC)
 (envelope-from nobody@FreeBSD.org)
Received: from oldred.freebsd.org (oldred.freebsd.org [8.8.178.121])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 59BC92B6C
 for <freebsd-gnats-submit@FreeBSD.org>; Thu, 25 Jul 2013 19:30:43 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
 by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id r6PJUh7r052017
 for <freebsd-gnats-submit@FreeBSD.org>; Thu, 25 Jul 2013 19:30:43 GMT
 (envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
 by oldred.freebsd.org (8.14.5/8.14.5/Submit) id r6PJUhMa052011;
 Thu, 25 Jul 2013 19:30:43 GMT (envelope-from nobody)
Message-Id: <201307251930.r6PJUhMa052011@oldred.freebsd.org>
Date: Thu, 25 Jul 2013 19:30:43 GMT
From: ShelLuser <pl@catslair.org>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Subject: misc/180854: Default permission bits for /var/account are insecure.
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2013 19:40:02 -0000


>Number:         180854
>Category:       misc
>Synopsis:       Default permission bits for /var/account are insecure.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 25 19:40:01 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     ShelLuser
>Release:        9.1-RELEASE
>Organization:
>Environment:
FreeBSD smtp2.losoco.com 9.1-RELEASE-p3 FreeBSD 9.1-RELEASE-p3 #0: Mon Apr 29 18:27:25 UTC 2013     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
The default permission bits for /var/account are set to 655 right after you installed the FreeBSD base system.

However; because the tools used for process accounting do not take the current user account into consideration this means that anyone who follows the instructions from the FreeBSD handbook to setup process accounting ends up with a potentially dangerous setup because from that point on all user accounts on the system can access the collected accounting data, for example by using lastcomm.

The instructions I'm referring to can be found here:
http://www.freebsd.org/doc/handbook/security-accounting.html

>How-To-Repeat:
* Install FreeBSD 9.1-RELEASE (though I have reasons to assume this also applies to other versions).
* Enable process accounting using the instructions from the FreeBSD handbook.
* Run /usr/bin/lastcomm using a regular user account.

>Fix:
Either using "chmod 650 /var/account" to limit access to root and the wheel group only, or perhaps using "chmod 600 /var/account" to limit access to root only.

My suggestion would be to change the default permission bits for /var/account.

>Release-Note:
>Audit-Trail:
>Unformatted: