[Bug 202203] acct(5): accounting, the default rc.conf doesn't match periodic.conf
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun Jul 7 18:18:19 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202203
Ian Lepore <ian at FreeBSD.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|bugs at FreeBSD.org |ian at FreeBSD.org
Status|New |In Progress
CC| |ian at FreeBSD.org,
| |wblock at FreeBSD.org
--- Comment #2 from Ian Lepore <ian at FreeBSD.org> ---
r349807 should eliminate the spurious daily error messages. I believe that
leaves two things to fix:
1. the rc.d/accounting script recreates the acct file every day with insecure
file mode bits (likewise when it creates the /var/account dir).
2. The advice in the handbook has become outdated.
For #1, I've posted a phab review, https://reviews.freebsd.org/D20876
For #2, I propose updating the handbook. I'm not a docs person, so I don't
have a diff for that, but I propose that the new sequence for enabling it be
changed from touch/chmod/accton/sysrc to:
service accounting enable
service accounting start
Then a paragraph should be added about file security, something like:
The accounting information is stored in files located in /var/account, which is
automatically created, if necessary, the first time the accounting service
starts. These files contain sensitive information, including all the commands
issued by all users. Write access to the files is limited to root, and read
access is limited to root and members of the wheel group. To also prevent
members of wheel from reading the files, change the mode of the /var/account
directory to allow access only by root.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list