Hi, [EMAIL PROTECTED] wrote: > > I've played with LIDS some time ago. As far as I know, you > could simply allow the /usr/sbin/logrotate program to write > to the specified log directories and make the executable > itself write-protected (at least all the "sbin"-programs > should be so, right?) so that it can't be modified. > > Hope that this helps.
no, that doesn't help. In your solution everybody can execute logrotate with ANY configuration file as OFTEN as he want to. So everybody can delete or even modify (if APPEND is allowed) the logfiles. at first you have to protect the "ANY configuration file". this can be done by giving the specific rights to /etc/cron.daily/logrotate. then you have to limit the number of execution, so /etc/cron.daily(/logrotate) has to be protected for everyone (DENY) beside for crond. in addition crontab etc. have to be protected, too. there are much more solutions for this problem... sorry, i don't have any debian specific solution, but i just wanted to tell you, that your solution is wrong and gives a false sense of security. Regards, Ralf Dreibrodt -- Mesos Telefon 49 221 9639263 Wallstr. 123 Fax 49 221 9646649 51063 Koeln Mail [EMAIL PROTECTED]