|
On 10/09/2012 02:17 PM, Lennart
Poettering wrote:
When was previous - that access to /var/log/messages was allowed?On Tue, 09.10.12 10:31, Matthew Miller (mattdm@xxxxxxxxxxxxxxxxx) wrote:On Tue, Oct 09, 2012 at 04:05:10PM +0200, Lennart Poettering wrote: > On Tue, 09.10.12 09:49, Matthew Miller (mattdm@xxxxxxxxxxxxxxxxx) wrote:allowing regular users to do so. (Commonly currently accomplished by making /var/log/messages owned and readable by the wheel group.)The HTTP thingy is not really how admins should access the logs. They should just use journalctl.On a related but tangental note: I notice that journalctl allows access to members of the admin group by default.Well, I'd say this differently: we _restrict_ access to "adm", in contrast to the previous logic where everybody was allowed to read /var/log/messages and only root /var/log/secure. $ cat /etc/redhat-release Fedora release 14 (Laughlin) sclark66:~/Download $ less /var/log/messages /var/log/messages: Permission denied In Fedora for the past few releases we've followed the tradition of making "wheel" the admin group -- see http://docs.fedoraproject.org/en-US/Fedora/17/html/Installation_Guide/sn-firstboot-systemuser.html This is also the case in RHEL 6, so changes here have downstream implications.The way I see this is that "wheel" allows you to *do* privileged things, but "adm" allows you to *see* privileged things. Note that "adm" has been widely used for the log purpose on other Linux distros, most notably Debian and its descendents. On Debian /var/log/messages defaulted to being private to "adm", and we kinda wanted to unify things here and though the Debian default is much nicer than the Fedora default of world-readability of logs, from a security PoV.Could we make that a default on Fedora in addition to adm? (I assume this is polkit but can't see it offhand -- hmmm... looks to be hard-coded in the source?) I don't really have a strong opinion about whether adm should work or not, but wheel should.Well, we could of course add this as ACL, but I wonder if it wouldn't be nicer to declare that "adm" is for seeing, and "wheel" for doing as I suggested above.Second, there's a traditional separation between /var/log/secure and /var/log/messages. Crucially, the "secure" log may contain accidentally-typed user passwords and other privacy-sensitive information. How can we do something similar with the systemd journal and journalctl?As mentioned no system messages are user-readable by default in the journal. We are more secure by default with the journal.Ideally, the /var/log/messages data would be available to members of the admin group without extra authentication, but seeing the potentially-privacy sensitive /var/log/secure should require re-authentication. (As a sysadmin, I should be able to safely look at message data with a user looking over my shoulder, so I can help them without possibly exposing private information about other users on the system.)Well, honestly the old secure vs. messages split is kinda broken, simply because old syslog didn't check the originator of messages and hence unprivileged processes could get have their data spill into the presumed "secure" logs. Splitting this of based on the "facility" field is fake securety, and we don't do "fake security" anymore with the journal. Lennart --
Stephen Clark NetWolves Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.clark@xxxxxxxxxxxxx http://www.netwolves.com |
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
