misc/180854: Default permission bits for /var/account are insecure.

Thu Jul 25 19:40:02 UTC 2013

>Number:         180854
>Category:       misc
>Synopsis:       Default permission bits for /var/account are insecure.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 25 19:40:01 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     ShelLuser
>Release:        9.1-RELEASE
>Organization:
>Environment:
FreeBSD smtp2.losoco.com 9.1-RELEASE-p3 FreeBSD 9.1-RELEASE-p3 #0: Mon Apr 29 18:27:25 UTC 2013     root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
The default permission bits for /var/account are set to 655 right after you installed the FreeBSD base system.

However; because the tools used for process accounting do not take the current user account into consideration this means that anyone who follows the instructions from the FreeBSD handbook to setup process accounting ends up with a potentially dangerous setup because from that point on all user accounts on the system can access the collected accounting data, for example by using lastcomm.

The instructions I'm referring to can be found here:
http://www.freebsd.org/doc/handbook/security-accounting.html

>How-To-Repeat:
* Install FreeBSD 9.1-RELEASE (though I have reasons to assume this also applies to other versions).
* Enable process accounting using the instructions from the FreeBSD handbook.
* Run /usr/bin/lastcomm using a regular user account.

>Fix:
Either using "chmod 650 /var/account" to limit access to root and the wheel group only, or perhaps using "chmod 600 /var/account" to limit access to root only.

My suggestion would be to change the default permission bits for /var/account.

>Release-Note:
>Audit-Trail:
>Unformatted: