> On Jul 13, 2019, at 09:07, Ian Lepore <i...@freebsd.org> wrote: > > Author: ian > Date: Sat Jul 13 16:07:38 2019 > New Revision: 349974 > URL: https://svnweb.freebsd.org/changeset/base/349974 > > Log: > Limit access to system accounting files. > > In 2013 the security chapter of the Handbook was updated in r42501 to > suggest limiting access to the system accounting file [*1] by creating the > initial file with a mode of 0600. This was in part based on a discussion in > the forums [*2]. Unfortunately, this advice is overridden by the fact that a > new file is created as part of periodic daily processing, and the file mode > is set by the rc.d/accounting script. > > These changes update the accounting script to create the directory with mode > 0750 if it doesn't already exist, and to create the daily file with mode > 0640. This limits write access to root only, read access to root and members > of wheel, and eliminates world access completely. For admins who want to > prevent even members of wheel from accessing the files, the mode of the > /var/account directory can be manually changed to 0700, because the script > never creates or changes that directory if it already exists. > > The accounting_rotate_log() function now also handles the error cases of no > existing log file to rotate, and attempting to rotate the file multiple > times (.0 file already exists). > > Another small change here eliminates the complexity of the mktemp/chmod/mv > sequence for creating a new acct file by using install(1) with the flags > needed to directly create the file with the desired ownership and > modes. That allows coalescing two separate if checkyesno accounting_enable > blocks into one. > > These changes were inspired by my investigation of PR 202203. > > [1] https://www.freebsd.org/doc/handbook/security-accounting.html > [2] http://forums.freebsd.org/showthread.php?t=41059 > > PR: 202203 > Differential Revision: https://reviews.freebsd.org/D20876
Does this deserve a “Relnotes: yes”…? Thanks! -Enji _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
