Excerpts from Kees Cook's message of Wed May 25 10:01:12 -0700 2011: > On Wed, May 25, 2011 at 08:07:14AM -0400, Scott Kitterman wrote: > > On Tuesday, May 24, 2011 06:00:17 PM Clint Byrum wrote: > > > Excerpts from Kees Cook's message of Tue May 24 11:46:48 -0700 2011: > > > > One unresolved problem is that the local default user (who is part of > > > > "admin") is also part of the "adm" group, which means these log files > > > > are > > > > visible without additional privileges: > > > > > > > > -rw-r----- 1 root adm 25937 2011-05-24 10:59 /var/log/dmesg > > > > -rw-r----- 1 syslog adm 0 2011-05-24 11:17 /var/log/kern.log > > > > > > > > (And some system have a historically world-readable /var/log/dmesg that > > > > should be fixed...) Does anyone see any problems in removing the default > > > > user from the "adm" group? It seems to almost exclusively only be used > > > > for log file reading permissions... > > > > > > > > Thoughts, flames, etc? > > > > > > +1 > > > > > > I've always been a bit surprised at how much I can see in /var/log when > > > logged into a brand new box as the initial admin user. I think users are > > > accustomed to sudo when debugging issues, and I'm comfortable with saying > > > that reading /var/log/* is just one more thing you need to use sudo for. > > Clint, what do you think of the proposal below? It's a less dramatic > change, which might be more well received ultimately.
+1 for a less surprising and still quite effective way of achieving the goal. -- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
