[203] in linux-security and linux-alert archive
Re: Serious security hole: log files
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Tue Apr 11 12:13:40 1995
Date: Tue, 11 Apr 1995 11:29:07 -0400
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: Belikoff Alexander <abel@wisdom.weizmann.ac.il>
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: Your message of Sun, April 9, 1995 15:02:08 GMT
"BA" == Belikoff Alexander <abel@wisdom.weizmann.ac.il> writes:
BA> I would like to mention a serious (on my mind) security hole in the
BA> logging system.
This is not a "hole" unique to Linux.
BA> As I noticed, sysklogd package creates log files with world-read
BA> permissions. Now suppose the following: you type your password at the
BA> login prompt (it *does* happen sometimes, whether you want it or not).
BA> As usually, your log file will contain the message of the following
BA> kind:
BA> ... login failed for user 'my_very_secure_password'
This is a common occurrence, unfortunately; I've done it more times than
I would care to remember.
BA> Now suppose the ill-minded guy, reading your log file...
BA> The best solution is, probably, to set /usr/adm perms to 700.
Though 'syslogd' will usually create the files with world-read
permission, it will not modify an *existing* log-file's permission when
it starts. Here's how I do things (to prevent people from snooping in
the log files that may contain passwords, etc); I rotate my logs at
shutdown, vice via a crontab, so all my current logs contain info. since
the last (nice) shutdown.
Snippet from /etc/rc.d/rc.0:
if [ ! -f /etc/fastboot ] ; then
echo "Emptying the trash:" > /dev/console
/etc/rc.d/brc.clean > /dev/console 2>&1
echo "Trimming logs:" > /dev/console
/etc/rc.d/brc.trim > /dev/console 2>&1
fi
Snippet from /etc/rc.d/brc.trim:
ADMDIR=/var/adm
# Trim messages log.
if [ -s $ADMDIR/messages ] ; then
echo " messages"
cat $ADMDIR/messages.old $ADMDIR/messages | tail -n 5000 > $ADMDIR/messages.tmp
mv -f $ADMDIR/messages.tmp $ADMDIR/messages.old
rm -f $ADMDIR/messages ; touch $ADMDIR/messages
chown root.sysadmin $ADMDIR/messages* ; chmod 640 $ADMDIR/messages*
fi
I'm not saying that this is an optimal way of doing this, but I've been
using this scheme under Linux (in various ways) for about two years. By
making sure that the /var/adm/messages file will exist at next 'syslogd'
startup, and that it will have the ownership and permissions that I
want, I don't have to worry about people browsing it for passwords. (My
regular account is the only one in the "sysadmin" group--so that I can
take quick peeks at the logs without having to 'su'.)
Further discussion on this by private e-mail (not the list) please, as
it's pretty much a general UNIX sysadmin issue...
--Up.
--
Jeff Uphoff - systems/network admin. | juphoff@nrao.edu
National Radio Astronomy Observatory | jeff.uphoff@linux.org
Charlottesville, VA, USA | http://linux.nrao.edu/~juphoff/
