On Tue, Oct 09, 2012 at 08:17:41PM +0200, Lennart Poettering wrote: > Well, I'd say this differently: we _restrict_ access to "adm", in > contrast to the previous logic where everybody was allowed to read > /var/log/messages and only root /var/log/secure. Well except they're both not readable in current releases. > Well, we could of course add this as ACL, but I wonder if it wouldn't be > nicer to declare that "adm" is for seeing, and "wheel" for doing as I > suggested above. I could maybe be brought around to this, but I'm not sure if the confusion outweighs the gain. (I think in particular since neither group name is very explanatory, pushing "adm is read-only administrative" is an uphill battle.) > > Second, there's a traditional separation between /var/log/secure and > > /var/log/messages. Crucially, the "secure" log may contain > > accidentally-typed user passwords and other privacy-sensitive information. > > How can we do something similar with the systemd journal and > > journalctl? > As mentioned no system messages are user-readable by default in the > journal. We are more secure by default with the journal. Not if they're not easily split out again for the practical use case I gave. Another case might be the thing which started this whole thread: exposing _some_ system messages to localhost via the web interface, but not ones of a certain level. > > sensitive /var/log/secure should require re-authentication. (As a > > sysadmin, I should be able to safely look at message data with a user > > looking over my shoulder, so I can help them without possibly exposing > > private information about other users on the system.) > Well, honestly the old secure vs. messages split is kinda broken, simply > because old syslog didn't check the originator of messages and hence > unprivileged processes could get have their data spill into the presumed > "secure" logs. Splitting this of based on the "facility" field is fake > securety, and we don't do "fake security" anymore with the journal. The concern isn't whether messages get _in_ to the /var/log/secure. Think of it as "/var/log/authpriv" or "/var/log/privacy-sensitive" if that helps. Also, please consider that "world readable" and "readable to admins without authentication" aren't the only possible levels. -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm@xxxxxxxxxxxxxxxxx> -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
