Possible security flaw with Accounting (default setup)

ShelLuser

Son of Beastie

Reaction score: 1,819
Messages: 3,600

Hi gang!

I'm diving a bit deeper into the process of securing my FreeBSD environment a bit more and came across the Process Accounting.

I followed the steps to set everything up and it worked like a charm. However, when studying the whole setup a bit more I suddenly noticed that if you follow the steps from the handbook to set everything up you're basically providing everyone who has a user account on your system access to the collected accounting information.

When a normal user starts lastcomm(1) then they get to see the full accounting history.

I consider that quite a major flaw to be honest. Especially since it can be easily prevented by simply changing the permission bits on the /var/account directory. By default this is owned by root:wheel yet has a permission mask of 755, so effectively allowing everyone access.

If you follow the instructions and use touch /var/account/acct you'll create a file which has 644 as its permission mask, thus also allowing everyone read access.

The solution should be obvious: # chmod o-rx /var/account, this will prevent anyone outside the wheel group from gaining access to your accounting data.

I'm somewhat surprised that this detail wasn't mentioned in the handbook because in my opinion following the default steps can create a potentially dangerous source of information for any intruders.
 

wblock@

Beastie Himself
Developer

Reaction score: 3,689
Messages: 13,851

I would say it should be chmod 600 /var/account. Even wheel users should not be able to view it.
 
OP
ShelLuser

ShelLuser

Son of Beastie

Reaction score: 1,819
Messages: 3,600

Thanks for the confirmation guys, much appreciated.

Still a bit nervous (probably for nothing), but I just entered my very first PR to bring this issue to the attention of the FreeBSD developers. As soon as I know more (such as a confirmation by e-mail) I'll send in an update.
 

ta0kira

Active Member

Reaction score: 22
Messages: 157

There are a lot of permissions I've changed from their defaults. Most of the files in /etc, /var/log/messages, /var/log/utx.*, /var/run/utx.active, and several others I can't think of at the moment. It's particularly irritating that /var/run/utx.active is made world-readable again when the system starts, even after patching libc to create it with 0640. Some of those things are personal preference, so you really just need to sift through your system files and decide on a case-by-case basis.

Kevin Barry
 

_martin

Aspiring Daemon

Reaction score: 179
Messages: 855

This reminded me the "issue" with /root permissions being 755 by default on FreeBSD. I was not able to find a topic regarding this here on forums, maybe I saw it in mailing list somewhere.

Same goes with user home directories - I'd expect them to be 700 by default.
 

kpa

Beastie's Twin

Reaction score: 1,827
Messages: 6,318

Users are put into their own groups at creation so 750 should be enough.
 
Top