On Thu, Apr 05, 2007 at 05:44:11PM +0200, Laurent Bonnaud wrote: > # Checking device permissions... > [...] > --FAIL-- [dev002f] /dev/log has world permissions > > Here are permissions of this socket on my system: > > srw-rw-rw- 1 root root 0 mar 15 22:10 /dev/log > > Such permissions are standard on all Debian (and Ubuntu) systems I > could check. Even if I agree that such world permissions are not > ideal, what is the point of alarming the admin ?
Being standard on Debian or Ubuntu does not make them OK. Do you want users to be able to spam your logs with messages? Any user (in a multi-user environment) in Debian/Ubuntu can fill up whatever partition /var/log/ is in through this. In most cases /var/ in its separate filessytem (in some ocasions it's in the / filesystem). Granted, /var/tmp, world writable, is also there, but many sysadmins create a separate partition for temporary stuff users can write too, so that /var/ only holds system-related stuff. > So could you please make a special case in this check for Debian > systems ? Sorry, no. If your security policy allows for this please use tiger.ignore, that's what it's for. Regards Javier
signature.asc
Description: Digital signature
