Date: Thu, 10 Oct 2002 12:42:29 GMT From: Socketd <db@traceroute.dk> To: Giorgos Keramidas <keramida@ceid.upatras.gr>, freebsd-questions@freebsd.org Subject: Re: Security questions Message-ID: <20021010.12422900.3222565378@rafter.> In-Reply-To: <20021010102838.GN21391@hades.hell.gr> References: <20021009.22451000.4017525480@rafter.> <20021010023701.GJ21391@hades.hell.gr> <20021010.10135300.3745751216@rafter.> <20021010102838.GN21391@hades.hell.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 10/10/02, 12:28:38 PM, Giorgos Keramidas <keramida@ceid.upatras.gr>=20 wrote regarding Re: Security questions: > > > Another reason is obvious if you look at the owner and permissions= of > > > the system log files: > > > > > giorgos@patata[05:33]/home/giorgos$ ls -ld /var/log/messages > > > -rw-r--r-- 1 root wheel 620908 Oct 10 05:33 /var/log/messages > > > > Yes, but they could be changed to user: syslog > No they couldn't. syslog is not a superuser, but a normal user. The > access controls imposed on users attempting to access the files owned > by a root user are a bit more strict than those that apply to the rest= > of the users, right now. I have to admit, it's not a bad idea to have= > log files owned by a syslog:syslog user, and selectively allow read, > write or modification access through access lists. But that's > something we ought to reconsider when ACLs are widely available on > FreeBSD, imho. I am not the biggest fan of ACL's and I think we can solve this problem = with the tools we have now. We have /var and different daemons and the=20 kernel have to write messages to different files in that "dir". The=20 interface to /var/ should be syslogd, meaning that all files in that=20 "dir" should be owned by syslog. I can't see the need for ACL to make=20 syslogd a non-root daemon. Br socketd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021010.12422900.3222565378>