#543 secure config and log permissions
Closed: Fixed None Opened 4 years ago by kurtseifried.

All configuration files (e.g. files in /etc/) and all log files (e.g. files in /var/log/) must not be set world-readable unless there is a functional reason to do so. By default, configuration files should be chmod 600 or 0640 and log files should be chmod 0600. This is due to a continuing number of security issues with world readable files that contain sensitive information (e.g. passwords and access tokens or logged usernames and commands for example).


I'm not sure this is necessarily a win. Wouldn't it result in administrators spending more time as root (either basically always acting as root, or sudoing much more often)? The vast majority of configuration files are not sensitive in this way, and making debug logs root only seems like a step back in usability.

That is a potential problem, but it is offset by the certainty that we end up with security flaws that need to be fixed because these files are world readable. In any event world readable configuration files with sensitive info will HAVE to be fixed so we end up with CVE whack-a-mole.

I agree with this in principle, but I do think that we should probably try to follow the journald example and have a group which is allowed to read logs if we're really going to do this. Otherwise I guess I can set some ACLs, but then you still need g+rX.

Replying to [comment:3 tibbs]:

I agree with this in principle, but I do think that we should probably try to follow the journald example and have a group which is allowed to read logs if we're really going to do this. Otherwise I guess I can set some ACLs, but then you still need g+rX.

This is also possible however that would require a new group/etc. which I felt was outside the scope of my request (e.g. that would apply to log files, but not the configuration files).

Perhaps we should consider these issues separately, should I close this and refile as two issues?

There's no need for another group; we already grant full journal access to adm (and wheel, along with systemd-journal) via an ACL:

{{{
~> getfacl /var/log/journal
getfacl: Removing leading '/' from absolute path names

file: var/log/journal

owner: root

group: systemd-journal

flags: -s-

user::rwx
group::r-x
group:adm:r-x
group:wheel:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:adm:r-x
default:group:wheel:r-x
default:mask::r-x
default:other::r-x
}}}

Why not just do the same? Then the only question is what happens when RPM installs a mode 600 file into a directory with a default ACL that has a nonzero mask.

We discussed this at this weeks meeting (http://meetbot.fedoraproject.org/fedora-meeting-1/2015-06-25/fpc.2015-06-25-16.01.txt):

  • 543 secure config and log permissions (geppetto, 16:37:49)

  • LINK: https://fedorahosted.org/fpc/ticket/543 (geppetto, 16:37:49)
  • ACTION: Seems like too big a change for FPC to just accept it, needs
    systemwide change and FESCO sign off. (geppetto, 16:46:55)

Metadata Update from @james:
- Issue assigned to tibbs

2 years ago

Login to comment on this ticket.

Metadata