svn commit: r349974 - head/libexec/rc/rc.d

Enji Cooper (yaneurabeya) yaneurabeya at gmail.com
Mon Jul 15 03:23:55 UTC 2019


> On Jul 13, 2019, at 09:07, Ian Lepore <ian at freebsd.org> wrote:
> 
> Author: ian
> Date: Sat Jul 13 16:07:38 2019
> New Revision: 349974
> URL: https://svnweb.freebsd.org/changeset/base/349974
> 
> Log:
>  Limit access to system accounting files.
> 
>  In 2013 the security chapter of the Handbook was updated in r42501 to
>  suggest limiting access to the system accounting file [*1] by creating the
>  initial file with a mode of 0600. This was in part based on a discussion in
>  the forums [*2]. Unfortunately, this advice is overridden by the fact that a
>  new file is created as part of periodic daily processing, and the file mode
>  is set by the rc.d/accounting script.
> 
>  These changes update the accounting script to create the directory with mode
>  0750 if it doesn't already exist, and to create the daily file with mode
>  0640. This limits write access to root only, read access to root and members
>  of wheel, and eliminates world access completely. For admins who want to
>  prevent even members of wheel from accessing the files, the mode of the
>  /var/account directory can be manually changed to 0700, because the script
>  never creates or changes that directory if it already exists.
> 
>  The accounting_rotate_log() function now also handles the error cases of no
>  existing log file to rotate, and attempting to rotate the file multiple
>  times (.0 file already exists).
> 
>  Another small change here eliminates the complexity of the mktemp/chmod/mv
>  sequence for creating a new acct file by using install(1) with the flags
>  needed to directly create the file with the desired ownership and
>  modes. That allows coalescing two separate if checkyesno accounting_enable
>  blocks into one.
> 
>  These changes were inspired by my investigation of PR 202203.
> 
>  [1] https://www.freebsd.org/doc/handbook/security-accounting.html
>  [2] http://forums.freebsd.org/showthread.php?t=41059
> 
>  PR:		202203
>  Differential Revision:	https://reviews.freebsd.org/D20876

Does this deserve a “Relnotes: yes”…?
Thanks!
-Enji


More information about the svn-src-all mailing list