[Pkg-shadow-devel] /var/log/ default file permissions
Bálint Réczey
balint at balintreczey.hu
Mon Mar 13 10:07:47 GMT 2023
Hi Craig,
Craig Andrews <candrews at integralblue.com> ezt írta (időpont: 2023.
márc. 8., Sze, 22:29):
>
> I'm working on evaluating Debian against STIGs and CIS benchmarks and
> one of the findings reported is:
>
> Verify permissions of log files:
> http://static.open-scap.org/ssg-guides/ssg-ubuntu2004-guide-stig.html#xccdf_org.ssgproject.content_rule_permissions_local_var_log
>
> This rule ensure that files in /var/log have 640 permissions.
>
> The shadow package seems to create/own a number of the files in /var/log
> and it sets the file permissions to 644.
>
> 640 makes more sense to me - there doesn't seem to be any reason for a
> regular user to read these logs.
Well, triaging problems without having to become root is comfortable
and this the status quo.
> Could Debian consider using the more restrictive 640 permissions for the
> /var/log/ files, improving security by default?
Technically yes, but at the moment I don't see a need for the change.
Please discuss the topic with the Debian Security Team and if they are
on board with the change it may be implemented.
https://security-team.debian.org/contact.html
I see you raised the same topic upstream, too. While I share
upstream's view Debian can have different defaults and I respect the
Security Team's opinion.
Cheers,
Balint
More information about the Pkg-shadow-devel
mailing list