[ale] Any reason not to open read permissions to /var/log/messages?
Brian Whigham
oobx at itmonger.com
Tue Apr 8 17:46:48 EDT 2008
hasn't anyone else ever typed in the password into the username prompt? The
logs would read something like "failed login for abc124". That's reason
enough for me to not allow everyone on the system to look at logs without
justification.
brian
2008/4/8 Michael H. Warfield <mhw at wittsend.com>:
>
> On Tue, 2008-04-08 at 14:24 -0400, Jeff Lightner wrote:
> > /var/log/messages is currently only read/write for root with no
> > permissions for anyone else.
>
> > Other than "none of their business" can anyone tell me any reason not
> > to allow DBAs the ability to read the file (i.e. change it to be read
> > for group and other)?
>
> There can, occasionally, be sensitive information in there. Just
> make
> sure nothing "security" related is being routed into that file and you
> may be OK. Every once in a while the security level will have sensitive
> passwords when someone enters a password into a user id field.
>
> I wouldn't open it up to just anyone poking, however. Principle of
> minimums. Minimum privs and minimum access. If the DBA's need it,
> change to group to a specific group, give it read access and add it to
> their accounts as a secondary group. Don't just a+r it.
>
> Mike
>
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 |
> http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of
> all
> PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20080408/9658d073/attachment.html
More information about the Ale
mailing list