user/group for svlogd

supervision - discussion about system services, daemon supervision, init, runlevel management, and tools such as s6 and runit
 help / color / mirror / Atom feed

* user/group for svlogd
@ 2008-04-04  9:15 Alex Efros
  2008-04-04 19:09 ` George Georgalis
  0 siblings, 1 reply; 2+ messages in thread
From: Alex Efros @ 2008-04-04  9:15 UTC (permalink / raw)
  To: supervision

Hi!

Which user/group permission you use for running svlogd processed (and for
/var/log/* directories)?

I'm trying to minimize chaos happening there, and I'm not sure which
user/group is better to choose:
1)  Looks like there no suitable user by default (there 2 users which may
    be used, but I don't really like them: daemon and nobody), and there 3
    possible default groups which can be used (nofiles, nogroup, nobody).
2)  If all svlogd & log directories will use same user/group like
    nobody:nobody... and if we take in account there sometimes few
    services (like apache :)) which also run usually as nobody:nobody...
    then if hacker found small security hole in cgi/php and got web shell -
    he also got read access to ALL LOGS.
    The same is true if no other daemons except svlogd will share same
    user/group - if hacker manage some network service to save to log
    specially crafted string which result in svlogd execute hacker's
    shell code, then this hacker again got access to all logs (each, we
    all hope svlogd is secure, but shit always happens).

So, sounds like best solution is to use unique user/group for each svlogd.
But I'm running ~30 svlogd on my system, and don't like to create 30 new
users/groups just for this.

Probably it have sense to use group 'nofiles' for all svlogd processes,
and group 'root' for all log directories - this looks really secure (at
least until somebody will create files/directories with nofiles group :)).

Best solution which come in my mind about user, is to add new user 'log',
and use it for all svlogd processes and log directories. If svlogd will
not be hacked this looks ease and secure solution - at least it guarantee
this user account will not be used by other daemons.

-- 
			WBR, Alex.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: user/group for svlogd
  2008-04-04  9:15 user/group for svlogd Alex Efros
@ 2008-04-04 19:09 ` George Georgalis
  0 siblings, 0 replies; 2+ messages in thread
From: George Georgalis @ 2008-04-04 19:09 UTC (permalink / raw)
  To: supervision

On Fri, Apr 04, 2008 at 12:15:54PM +0300, Alex Efros wrote:
>Best solution which come in my mind about user, is to add new user 'log',
>and use it for all svlogd processes and log directories. If svlogd will
>not be hacked this looks ease and secure solution - at least it guarantee
>this user account will not be used by other daemons.

that's what I do. also create a log group for read access by privileged users.

// George

-- 
George Georgalis, information system scientist <IXOYE><


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2008-04-04 19:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-04-04  9:15 user/group for svlogd Alex Efros
2008-04-04 19:09 ` George Georgalis

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).