From owner-freebsd-security Mon Jul 27 05:37:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA08713 for freebsd-security-outgoing; Mon, 27 Jul 1998 05:37:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA08697 for ; Mon, 27 Jul 1998 05:37:55 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id IAA07865; Mon, 27 Jul 1998 08:37:15 -0400 (EDT) Date: Mon, 27 Jul 1998 08:37:15 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: "Jan B. Koum " cc: security@FreeBSD.ORG Subject: Re: files in /var/log In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jan, On my own machines I have added a "logger" group and set permissions in this manner: /var/cron/log root.loguser 640 3 100 * Z /var/log/amd.log root.loguser 644 7 100 * Z /var/log/kerberos.log root.loguser 640 7 100 * Z /var/log/lpd-errs root.loguser 644 7 100 * Z /var/log/maillog root.loguser 644 7 * 24 Z /var/log/messages root.loguser 644 5 * 168 Z /var/log/slip.log root.loguser 640 3 100 * Z /var/log/ppp.log root.loguser 640 3 100 * Z /var/log/wtmp root.loguser 644 52 * 168 ZB /var/log/auth root.loguser 640 14 * 168 Z # my stuff /var/log/ftpd.log root.loguser 640 3 * 168 Z /var/log/pop.log root.loguser 640 3 * 72 Z /var/log/kadmind.syslog root.loguser 640 14 * 168 Z /var/log/imapd.log root.loguser 640 3 * 72 Z /var/log/all-log root.loguser 640 7 * 72 Z A number of daemons and other programs tend to leak sensitive information (such as bad login information) to publically readable logs -- and I did not want to give users root access to get to these files where it was actually unnecessary. For more general use, root.wheel would probably be sufficient. I also changed some of the syslog logging rules to prevent auth-style log entries from going to the wrong places. I suspect that there are some daemons/etc out there that are delivering some of the auth-style log messages with the wrong level on the log message (i.e., notice or something) and as a result, they are not getting caught be this. However, I have not looked closely. I don't know if the standard FreeBSD ssh port/package changes the log level from DAEMON to AUTH or not, but I certainly had to do that on my own build of sshd (see /etc/sshd_config). On Mon, 27 Jul 1998, Jan B. Koum wrote: > > Hello all, > > Be default FreeBSD has many files in /var/log group write. What is > the reason for that? Can we change this to be group read only? > Also, would it make more sence to ship /var/log/messages o-r by > default? Why do we want all world to know what goes into our > /var/log/messages files? > [we would also need to modify /etc/newsyslog.conf's mode column > to 640 then] > > -- Yan > > Jan Koum jkb@best.com | "Turn up the lights; I don't want > www.FreeBSD.org -- The Power to Serve | to go home in the dark." > "Write longer sentences - they are paying us a lot of money" > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message