Bug#291825: exim4-base: /var/log/exim4 permissions

Anand Kumria Anand Kumria <wildfire@progsoc.uts.edu.au>, 291825@bugs.debian.org
Mon, 24 Jan 2005 11:45:27 +1100 

severity #291825 normal
thanks, mate

this isn't a 'wishlist' bug

wishlist
    for any feature request, and also for any bugs that are very
    difficult to fix due to major design considerations.

nor it is 'minor'
    a problem which doesn't affect the package's usefulness, and is
    presumably trivial to fix.

from: http://www.debian.org/Bugs/Developer#severities

On Sun, Jan 23, 2005 at 04:27:24PM +0100, Marc Haber wrote:
> severity #291825 wishlist
> tags #291825 wontfix
> thanks
> 
> On Mon, Jan 24, 2005 at 12:54:43AM +1100, Anand Kumria wrote:
> > Debian policy[1], recommend directories have permissions of either 755
> > or 2755. The /var/log/exim4 directories do not.
> 
> Feature. The log might contain confidenial data.

I am not asking for the permissions of logfiles to be changed.

I am asking for the permission of the directory containing the logfiles
to be changed to be in line with policy.  Changing the permissions to be
in line with policy also allows useful a number of reasonable
administrative actions.

Having the directory containing the logfiles be inaccessible does not
serve the purpose of keeping the logfiles confidential since the logfile
permission already make them confidential!

> Add yourself to the adm group. Grepping logs as root is generally not
> a good idea.

Thanks for the suggestion. If it were just a single group I should add
myself to, that would be fantastic.  However as an administrator my
choices are:

	- add myself to every arbitary group that every arbitary Debian
	  maintainer would like me to (proxy, Debian-exim, adm, etc.)
	- ask maintainers to follow the Debian policy when it comes to
	  directories and do things as root

For people whose time is unlimited they may choose to add themselves to
every group.  Performing my requested change will not preclude them from
doing so.  Performing my requested change also enables the second group
of administrators to undertake their work with a minimum of extra
stress.

On Sun, Jan 23, 2005 at 05:22:09PM +0100, Andreas Metzler wrote:
> On 2005-01-23 Marc Haber <mh+debian-packages@zugschlus.de> wrote:
> 
> > Add yourself to the adm group. Grepping logs as root is generally not
> > a good idea.
> 
> I completely agree. Debian defines group adm exactly for this purpose.
> I do not think exim4 is doing anything wrong, the directory
> permissions act as a safeguard and do not limit suugested practice.

Per policy 10.9, the exim packages are.

Anand

-- 
linux.conf.au 2005   -  http://lca2005.linux.org.au/  -  Birthplace of Tux
April 18th to 23rd   -  http://lca2005.linux.org.au/  -       LINUX
Canberra, Australia  -  http://lca2005.linux.org.au/  -    Get bitten!