misc/180854: Default permission bits for /var/account are insecure.
ShelLuser
pl at catslair.org
Thu Jul 25 19:40:02 UTC 2013
>Number: 180854
>Category: misc
>Synopsis: Default permission bits for /var/account are insecure.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Jul 25 19:40:01 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: ShelLuser
>Release: 9.1-RELEASE
>Organization:
>Environment:
FreeBSD smtp2.losoco.com 9.1-RELEASE-p3 FreeBSD 9.1-RELEASE-p3 #0: Mon Apr 29 18:27:25 UTC 2013 root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
The default permission bits for /var/account are set to 655 right after you installed the FreeBSD base system.
However; because the tools used for process accounting do not take the current user account into consideration this means that anyone who follows the instructions from the FreeBSD handbook to setup process accounting ends up with a potentially dangerous setup because from that point on all user accounts on the system can access the collected accounting data, for example by using lastcomm.
The instructions I'm referring to can be found here:
http://www.freebsd.org/doc/handbook/security-accounting.html
>How-To-Repeat:
* Install FreeBSD 9.1-RELEASE (though I have reasons to assume this also applies to other versions).
* Enable process accounting using the instructions from the FreeBSD handbook.
* Run /usr/bin/lastcomm using a regular user account.
>Fix:
Either using "chmod 650 /var/account" to limit access to root and the wheel group only, or perhaps using "chmod 600 /var/account" to limit access to root only.
My suggestion would be to change the default permission bits for /var/account.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list