svn commit: r349974 - head/libexec/rc/rc.d
Enji Cooper (yaneurabeya)
yaneurabeya at gmail.com
Mon Jul 15 03:23:55 UTC 2019
> On Jul 13, 2019, at 09:07, Ian Lepore <ian at freebsd.org> wrote:
>
> Author: ian
> Date: Sat Jul 13 16:07:38 2019
> New Revision: 349974
> URL: https://svnweb.freebsd.org/changeset/base/349974
>
> Log:
> Limit access to system accounting files.
>
> In 2013 the security chapter of the Handbook was updated in r42501 to
> suggest limiting access to the system accounting file [*1] by creating the
> initial file with a mode of 0600. This was in part based on a discussion in
> the forums [*2]. Unfortunately, this advice is overridden by the fact that a
> new file is created as part of periodic daily processing, and the file mode
> is set by the rc.d/accounting script.
>
> These changes update the accounting script to create the directory with mode
> 0750 if it doesn't already exist, and to create the daily file with mode
> 0640. This limits write access to root only, read access to root and members
> of wheel, and eliminates world access completely. For admins who want to
> prevent even members of wheel from accessing the files, the mode of the
> /var/account directory can be manually changed to 0700, because the script
> never creates or changes that directory if it already exists.
>
> The accounting_rotate_log() function now also handles the error cases of no
> existing log file to rotate, and attempting to rotate the file multiple
> times (.0 file already exists).
>
> Another small change here eliminates the complexity of the mktemp/chmod/mv
> sequence for creating a new acct file by using install(1) with the flags
> needed to directly create the file with the desired ownership and
> modes. That allows coalescing two separate if checkyesno accounting_enable
> blocks into one.
>
> These changes were inspired by my investigation of PR 202203.
>
> [1] https://www.freebsd.org/doc/handbook/security-accounting.html
> [2] http://forums.freebsd.org/showthread.php?t=41059
>
> PR: 202203
> Differential Revision: https://reviews.freebsd.org/D20876
Does this deserve a “Relnotes: yes”…?
Thanks!
-Enji
More information about the svn-src-all
mailing list