Bug 180854

Summary: Default permission bits for /var/account are insecure.
Product: Base System Reporter: pl
Component: miscAssignee: freebsd-bugs mailing list <bugs>
Status: Open ---    
Severity: Affects Only Me    
Priority: Normal    
Version: 9.1-RELEASE   
Hardware: Any   
OS: Any   

Description pl 2013-07-25 20:40:01 UTC
The default permission bits for /var/account are set to 655 right after you installed the FreeBSD base system.

However; because the tools used for process accounting do not take the current user account into consideration this means that anyone who follows the instructions from the FreeBSD handbook to setup process accounting ends up with a potentially dangerous setup because from that point on all user accounts on the system can access the collected accounting data, for example by using lastcomm.

The instructions I'm referring to can be found here:
http://www.freebsd.org/doc/handbook/security-accounting.html

Fix: 

Either using "chmod 650 /var/account" to limit access to root and the wheel group only, or perhaps using "chmod 600 /var/account" to limit access to root only.

My suggestion would be to change the default permission bits for /var/account.
How-To-Repeat: * Install FreeBSD 9.1-RELEASE (though I have reasons to assume this also applies to other versions).
* Enable process accounting using the instructions from the FreeBSD handbook.
* Run /usr/bin/lastcomm using a regular user account.
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:01:42 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped