-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/28/11 17:46, Steve Grubb wrote: > On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote: >> - change systems logs owners from root:root mode 600 to root:adm mode >> 640 (or something similar) > > So, what would be the implementation of this? How would logcheck or any log reader > work. Would they be setgid applications or would they start as root and change to this > new account? > > There are things in the logs that ordinary users cannot have access to to by default. > > -Steve I try to keep this simple: normal users don't get into those groups. Installing logcheck etc. will require some administrative rights, there is no disclosure of something that should be hidden. I won't give logcheck etc. no setuid/setguid (why should we do so, we don't need to!) The simple concept is as depicted above: create a group "logreader" and change group ownership of all(/some) system logs to logreader. That's it. I know, there are other applications, like logwatch. This may/could be changed not to require root permission. It's implementation will be very simple and fast. AFAIK there will be no breakage of existing packages, but we gain more flexibility. Matthias -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNbAQuAAoJEOnz8qQwcaIW9JYH/22h/3/6oyn+jmDq1bBavx4c WYdCwS3+nPK5kd2KVv7xhS1oTLDmxwK28PXKC9wCGTqSv7ox66Uhq5Hh1aCVea0m HFxCOcm+FSknZaYiCFAwW05pmB4XjfWZlFo08gQHdw6W2YUzLnusTy8R6NKdR+Ws CA27AkI7vyZZRDoivvDdlnpRW8ub0Er+3xGJdGQBzu268ejPyuF0DCkCkrnclcVH moZW4bIK0GgMTVBXjPm1yg3pELU6mzpgQqG4S4YYCo0Cdla7VNAfelFxZbIO+2Yt LMVSkwCajQdUgT49UsmUgLS2TBZIqf8UmB3UuXe5O4eVJmsERwiKKjtgGIpsem8= =mJAa -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
