Package: denyhosts Version: 2.6-4 Severity: normal
/var/lib/denyhosts contains a number of security-related logs; the directory and its logs are created world-readable by default. Security logs should be root-readable only; I did: dpkg-statoverride --update --add root root 0750 /var/lib/denyhosts to fix my installation. This is particularly important for the users-invalid file, as legitimate users occasionally type their password when promted for their username, so an attacker could scan the file for potential passwords. For the other logs, the issue is mainly to prevent attackers from gaining information about security measures and attack success/failure. (Personally, I would prefer that even /etc/denyhosts.conf and /var/log/denyhosts were not world-readable for the same reason.) This should not cause any problems when denyhosts is run as root (the default), unless someone has custom scripts that process the logs under a different username. That case could be accommodated with a denyhosts group or some such. -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages denyhosts depends on: ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip ii python 2.5.2-3 An interactive high-level object-o ii python-central 0.6.8 register and build utility for Pyt denyhosts recommends no packages. denyhosts suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
