Date: Sun, 14 Jul 2019 20:23:51 -0700 From: "Enji Cooper (yaneurabeya)" <yaneurabeya@gmail.com> To: Ian Lepore <ian@freebsd.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r349974 - head/libexec/rc/rc.d Message-ID: <4D2DD5FF-3BEE-42F7-B4D1-41C399740551@gmail.com> In-Reply-To: <201907131607.x6DG7cTR067202@repo.freebsd.org> References: <201907131607.x6DG7cTR067202@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Jul 13, 2019, at 09:07, Ian Lepore <ian@freebsd.org> wrote: >=20 > Author: ian > Date: Sat Jul 13 16:07:38 2019 > New Revision: 349974 > URL: https://svnweb.freebsd.org/changeset/base/349974 >=20 > Log: > Limit access to system accounting files. >=20 > In 2013 the security chapter of the Handbook was updated in r42501 to > suggest limiting access to the system accounting file [*1] by = creating the > initial file with a mode of 0600. This was in part based on a = discussion in > the forums [*2]. Unfortunately, this advice is overridden by the fact = that a > new file is created as part of periodic daily processing, and the = file mode > is set by the rc.d/accounting script. >=20 > These changes update the accounting script to create the directory = with mode > 0750 if it doesn't already exist, and to create the daily file with = mode > 0640. This limits write access to root only, read access to root and = members > of wheel, and eliminates world access completely. For admins who want = to > prevent even members of wheel from accessing the files, the mode of = the > /var/account directory can be manually changed to 0700, because the = script > never creates or changes that directory if it already exists. >=20 > The accounting_rotate_log() function now also handles the error cases = of no > existing log file to rotate, and attempting to rotate the file = multiple > times (.0 file already exists). >=20 > Another small change here eliminates the complexity of the = mktemp/chmod/mv > sequence for creating a new acct file by using install(1) with the = flags > needed to directly create the file with the desired ownership and > modes. That allows coalescing two separate if checkyesno = accounting_enable > blocks into one. >=20 > These changes were inspired by my investigation of PR 202203. >=20 > [1] https://www.freebsd.org/doc/handbook/security-accounting.html > [2] http://forums.freebsd.org/showthread.php?t=3D41059 >=20 > PR: 202203 > Differential Revision: https://reviews.freebsd.org/D20876 Does this deserve a =E2=80=9CRelnotes: yes=E2=80=9D=E2=80=A6? Thanks! -Enji=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D2DD5FF-3BEE-42F7-B4D1-41C399740551>