- Fix security concern about instuction in pkg-message.
In pkg-message there is instruction that all log files
checked by logcheck should be readable by wheel group.
By default, some log files such as /var/log/auth.log or
/var/log/security is readable only by root because it may
include some sensitive information. So if you want to check
these files by logcheck, you are required to make them readable
by wheel group user. But primary purpose of wheel group is
to limit the users who can get root privilige by using su(1).
So it is quite common that some users belong to wheel group.
Then let's think of following situation. A user who belongs to
wheel group logged in to server and went to lunch forgetting
to logout or lock screen. Then someone evil came and found
unlocked terminal. If the permission of /var/log/auth.log of
/var/log/security is not changed, the evil cannot read them
unless he knows root password of the server. But if these files
readable by wheel group, he can read these log files simply by
displaying them using cat, less, or similar command, and access to
sensitive information inside them. So the instructions should be
changed so that all log files checked by logcheck should be
readable by logcheck group rather than wheel group.
- Stop adding user 'logcheck' to wheel group.
- Use 915/915 as UID/GID of 'logcheck' user.
- Use /var/db/logcheck instead of /var/lib/logcheck because
/var/lib is not accessible by non-wheel user.
- Use MASTER_SITE_DEBIAN as MASTER_SITES.
- Use USE_PERL5 for perl dependency.
- Use @dirrmtry in pkg-plist.
- Bump PORTREVISION.
I think this patch should be committed by asking for portmgr's
approval before final package build for 6.4/7.1 is started.
Over to maintainer (via the GNATS Auto Assign Tool)
-----BEGIN PGP SIGNED MESSAGE-----
Thank you for the security/logcheck patch. Coincidentally, I recently
submitted a commit request to portmgr@FreeBSD.org for a very similar
patch of my own, found here:
However, my patch does not address the main security issue that you
raised regarding the membership of the logcheck user in the wheel group.
I will take your patch and incorporate it into my existing work and
resubmit for portmgr approval.
http://www.FreeBSD.org/ - The Power To Serve
http://www.sourcehosting.net/ - Ready. Set. Code.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
glarkin 2008-09-11 00:30:09 UTC
FreeBSD ports repository
. UIDs UPDATING
security/logcheck Makefile pkg-plist
security/logcheck/files patch-src__logcheck pkg-deinstall.in
- Fixed logcheck script silent failure in previous commit
- Added handling for crontab installation problems
- Incorported security fixes from PR opened after previous commit
- Added UPDATING entry since configuration options have changed
Submitted by: Cezary Morga <firstname.lastname@example.org>
Submitted by: Yasuhiro KIMURA <yasu at utahime dot org>
Reviewed by: glarkin
Approved by: beech (mentor, implicit)
Approved by: portmgr (marcus)
Security: Incorrect addition of logcheck user to wheel group
Revision Changes Path
1.75 +2 -2 ports/UIDs
1.717 +49 -1 ports/UPDATING
1.23 +28 -18 ports/security/logcheck/Makefile
1.2 +14 -6 ports/security/logcheck/files/patch-src__logcheck
1.2 +2 -2 ports/security/logcheck/files/pkg-deinstall.in
1.2 +17 -8 ports/security/logcheck/files/pkg-install.in
1.2 +2 -2 ports/security/logcheck/files/pkg-message.in
1.11 +3 -3 ports/security/logcheck/pkg-plist
email@example.com mailing list
To unsubscribe, send any mail to "firstname.lastname@example.org"
Committed after incorporating security fixes into a
pre-existing patch, thanks!