permissions
hi,
after finding that world writable library I decided to search for
other bad permissions on my potato system.
i found numerous cases where things were group root writable
(/usr/share/xterm /etc/emacs* /usr/lib/games/abuse-lib/*
/usr/X11R6/*)
i think that nothing should have group root write permission because
1) its not necessary and 2) the pam_wheel module: the pam_wheel
module is used to restrict who may su to root and it works by
checking membership of gid 0, the root group. one of the points of
not using the root account full time is risk of damage to the system,
however if there are system files scattered about that are writable
by group root then adding users to that group is not safe. in this
case it is probably safer to use the group=wheel option on pam_wheel
and create a new group wheel. this ensures that nothing suddenly
becomes writable full time if the wheel group system is implemented.
the problem is there is NO documentation anywhere that would suggest
that adding trusted users to group root is unsafe.
I have looked this up in debian-policy and in section 4.9 it states
that files should be owned by root.root and be writable by *only* the
owner. so the above mentioned files were in violation of policy.
I also see that the apache server logs are owned by www-data.www-data
and are writable by both the user and group, I thought apache logs
were taken care of by the parent apache process which runs as root?
under this setup if one of the unprivileged apache daemons is
compromised it can alter the logs. this is very bad...
I would ask that all package maintainers double check their packages
to make sure they are compliant to policy and do not have group
writable files where inappropriate. (especially any file with group
root)
Best Regards,
Ethan Benson
To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/
Reply to: