Bug 127255 - [PATCH,SECURITY] security/logcheck: fix security concern about instruction in pkg-message
Summary: [PATCH,SECURITY] security/logcheck: fix security concern about instruction in...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Greg Larkin
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-09 21:20 UTC by Yasuhiro Kimura
Modified: 2008-09-11 19:42 UTC (History)
0 users

See Also:

Attachments
patch-logcheck (6.97 KB, text/plain)
2008-09-09 21:20 UTC, Yasuhiro Kimura 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yasuhiro Kimura freebsd_committer freebsd_triage 2008-09-09 21:20:02 UTC 
	- Fix security concern about instuction in pkg-message.
	  In pkg-message there is instruction that all log files
	  checked by logcheck should be readable by wheel group.
	  By default, some log files such as /var/log/auth.log or
	  /var/log/security is readable only by root because it may
	  include some sensitive information. So if you want to check
	  these files by logcheck, you are required to make them readable
	  by wheel group user. But primary purpose of wheel group is
	  to limit the users who can get root privilige by using su(1).
	  So it is quite common that some users belong to wheel group.
	  Then let's think of following situation. A user who belongs to
	  wheel group logged in to server and went to lunch forgetting
	  to logout or lock screen. Then someone evil came and found
	  unlocked terminal. If the permission of /var/log/auth.log of
	  /var/log/security is not changed, the evil cannot read them
	  unless he knows root password of the server. But if these files
	  readable by wheel group, he can read these log files simply by
	  displaying them using cat, less, or similar command, and access to
	  sensitive information inside them. So the instructions should be
	  changed so that all log files checked by logcheck should be
	  readable by logcheck group rather than wheel group.
	- Stop adding user 'logcheck' to wheel group.
	- Use 915/915 as UID/GID of 'logcheck' user.
	- Use /var/db/logcheck instead of /var/lib/logcheck because
	  /var/lib is not accessible by non-wheel user.
	- Use MASTER_SITE_DEBIAN as MASTER_SITES.
	- Use USE_PERL5 for perl dependency.
	- Use @dirrmtry in pkg-plist.
	- Bump PORTREVISION.

	I think this patch should be committed by asking for portmgr's
	approval before final package build for 6.4/7.1 is started.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2008-09-09 21:20:14 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->glarkin

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Greg Larkin freebsd_committer freebsd_triage 2008-09-09 21:44:50 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Yasuhiro,

Thank you for the security/logcheck patch.  Coincidentally, I recently
submitted a commit request to portmgr@FreeBSD.org for a very similar
patch of my own, found here:
http://people.freebsd.org/~glarkin/diffs/logcheck-5.diff

However, my patch does not address the main security issue that you
raised regarding the membership of the logcheck user in the wheel group.
 I will take your patch and incorporate it into my existing work and
resubmit for portmgr approval.

Best regards,
Greg
- --
Greg Larkin

http://www.FreeBSD.org/       - The Power To Serve
http://www.sourcehosting.net/ - Ready. Set. Code.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIxuBC0sRouByUApARAte/AKCLeiPmLrENXZubaF7aPE1kvn9jlACgidRG
xdsQysULz9aj980fCWFavAg=
=aB1I
-----END PGP SIGNATURE-----
Comment 3 dfilter service freebsd_committer freebsd_triage 2008-09-11 01:30:18 UTC 
glarkin     2008-09-11 00:30:09 UTC

  FreeBSD ports repository

  Modified files:
    .                    UIDs UPDATING 
    security/logcheck    Makefile pkg-plist 
    security/logcheck/files patch-src__logcheck pkg-deinstall.in 
                            pkg-install.in pkg-message.in 
  Log:
  - Fixed logcheck script silent failure in previous commit
  - Added handling for crontab installation problems
  - Incorported security fixes from PR opened after previous commit
  - Added UPDATING entry since configuration options have changed
    fairly significantly
  
  PR:             ports/122842
  Submitted by:   Cezary Morga <cm@therek.net>
  PR:             ports/127255
  Submitted by:   Yasuhiro KIMURA <yasu at utahime dot org>
  Reviewed by:    glarkin
  Approved by:    beech (mentor, implicit)
  Approved by:    portmgr (marcus)
  Security:       Incorrect addition of logcheck user to wheel group
  
  Revision  Changes    Path
  1.75      +2 -2      ports/UIDs
  1.717     +49 -1     ports/UPDATING
  1.23      +28 -18    ports/security/logcheck/Makefile
  1.2       +14 -6     ports/security/logcheck/files/patch-src__logcheck
  1.2       +2 -2      ports/security/logcheck/files/pkg-deinstall.in
  1.2       +17 -8     ports/security/logcheck/files/pkg-install.in
  1.2       +2 -2      ports/security/logcheck/files/pkg-message.in
  1.11      +3 -3      ports/security/logcheck/pkg-plist
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 4 Greg Larkin freebsd_committer freebsd_triage 2008-09-11 19:41:31 UTC 
State Changed
From-To: open->closed

Committed after incorporating security fixes into a 
pre-existing patch, thanks!