From: Vincent Danen <vdanen@linsec.ca>
Cc: supervision@list.skarnet.org
Subject: Re: svlogd and umask settings
Date: Fri, 1 Sep 2006 11:49:40 -0600 [thread overview]
Message-ID: <20060901174940.GY25489@annvix.org> (raw)
In-Reply-To: <20060830220325.GK25489@annvix.org>
[-- Attachment #1: Type: text/plain, Size: 2221 bytes --]
* Vincent Danen <vdanen@linsec.ca> [2006-08-30 16:03:25 -0600]:
> I have an issue with svlogd where I need it to write files with 0640
> perms, but it wants to write with 0644 perms. I tried to toss a umask
> call in my runscript:
>
> [root@ares apparmor.d]# cat /service/auditd/log/run
> #!/bin/execlineb
>
> # logging for the auditd service; unfortunately we need to run as root here
> # so that genprof will look at our log
>
> /bin/foreground { /usr/bin/install -m 0700 -d -o root -g root
> /var/log/system/audit }
> /bin/cd /var/log/service
> /bin/umask 026
> /sbin/svlogd /var/log/system/audit
>
> This doesn't seem to make a difference to svlogd. Looking in the
> manpage, I didn't see anything about changing the permissions of files
> it creates. But even with the above I get:
>
> [root@ares apparmor.d]# ls -l /var/log/system/audit/
> total 0
> -rw-r--r-- 1 root root 0 Aug 30 16:17 current
> -rw------- 1 root root 0 Aug 30 16:17 lock
>
> What am I missing or do I have to change something in svlogd itself?
> Since Annvix is now using socklog by default, I need to make sure logs
> are 0640. The directory permissions are correct, but the log file
> permissions are not.
Ok, I see the problem. I see all the fchmod() calls in svlogd.c that
are writing files as mode 0744 or 0644. What would be nice to see is if
svlogd could be configured to accept as a config option perms for files
or if it respected umask settings. As it stands right now, I'm going to
have to patch svlogd.c to make it write files mode 0740 or 0640.
In conjunction with stuff like socklog, this is pretty important. You
never see stuff like /var/log/messages or /var/log/auth.log with such
insecure permissions so it would be good if something that socklog
depended on could likewise write more secure log files.
Maybe a switch (like -s) to enable secure logfile writing (mode 0x40)
and -ss to enable more secure logile writing (mode 0x00)?
My C skills aren't overly sharp, but I'll see if I can hobble a patch
together for this.
--
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C A2BC 2EBC 5E32 FEE3 0AD4}
mysql> SELECT * FROM users WHERE clue > 0;
Empty set (0.00sec)
[-- Attachment #2: Type: application/pgp-signature, Size: 186 bytes --]
next prev parent reply other threads:[~2006-09-01 17:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-30 22:03 Vincent Danen
2006-09-01 17:49 ` Vincent Danen [this message]
2006-09-15 14:47 ` Gerrit Pape
2006-09-15 15:22 ` Vincent Danen
2006-09-16 9:51 ` Laurent Bercot
2006-09-16 17:20 ` Vincent Danen
2006-09-18 15:18 ` Christian Holtje
2006-09-18 16:06 ` Vincent Danen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060901174940.GY25489@annvix.org \
--to=vdanen@linsec.ca \
--cc=supervision@list.skarnet.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).