[3200] in testers
Re: 8.1 behavior
daemon@ATHENA.MIT.EDU (mhpower@MIT.EDU)
Thu Jun 5 01:59:37 1997
From: mhpower@MIT.EDU
To: testers@MIT.EDU
In-Reply-To: "[3108] in testers"
Date: Thu, 05 Jun 1997 01:59:28 EDT
>and if it is a root krsh the command and originator are logged:
>
>SYSLOG, the-other-woman, daemon.notice, root@THE-OTHER-WOMAN
>May 15 16:47:16 [the-other-woman] kshd[2292]: Executing cat /.klogin for principal jweiss/root@ATHENA.MIT.EDU (jweiss@the-other-woman.MIT.EDU) as ROOT
I believe it's compiled with "#define LOG_REMOTE_REALM", and if that's
the case I think it will log the command string for commands run as
any user if the kshd connection is made using a non-ATHENA.MIT.EDU
Kerberos ticket.
Although this possibly may be the desired behavior on some of
Athena's server machines, I believe in the general case it's a serious
privacy violation for users' commands to be logged to a file, just
because the commands happen to be executed via rsh. The privacy
problem appears to be compounded by the fact that /usr/adm/messages
(which, by default, would receive these daemon.notice messages)
is a publicly readable file.
I think it's a very good idea for /usr/adm/messages to be publicly
readable, since on occasion ordinary users can glean information about
system problems by looking at this file. I don't believe that ordinary
users should always have access to information about what commands
have been executed remotely as root. One particular case in which
this is undesirable is if a root user is trying to investigate whether
an unauthorized person has broken into the machine, without making
it easily detectable that the problem is being investigated remotely.
Whether one root user has any privacy right to not have all their
remote commands publicized to other root users can, I believe, be
debated either way. I think there is a privacy right here, and people
with root access in most of the Athena environment should not be
subject to detailed monitoring of what they type in. Fans of the
traditional "bos exec" logging may, of course, feel otherwise.
So, my order of preferences would be:
1. rebuild kshd without the "#define LOG_CMD"
2. rebuild kshd without the "#define LOG_REMOTE_REALM"
3. change syslog.conf so that daemon.notice messages are neither
written to a publicly readable file nor sent over the network
in the clear
Matt
