Possible security flaw with Accounting (default setup)

Hi gang!

I'm diving a bit deeper into the process of securing my FreeBSD environment a bit more and came across the Process Accounting.

I followed the steps to set everything up and it worked like a charm. However, when studying the whole setup a bit more I suddenly noticed that if you follow the steps from the handbook to set everything up you're basically providing everyone who has a user account on your system access to the collected accounting information.

When a normal user starts lastcomm(1) then they get to see the full accounting history.

I consider that quite a major flaw to be honest. Especially since it can be easily prevented by simply changing the permission bits on the /var/account directory. By default this is owned by root:wheel yet has a permission mask of 755, so effectively allowing everyone access.

If you follow the instructions and use touch /var/account/acct you'll create a file which has 644 as its permission mask, thus also allowing everyone read access.

The solution should be obvious: # chmod o-rx /var/account, this will prevent anyone outside the wheel group from gaining access to your accounting data.

I'm somewhat surprised that this detail wasn't mentioned in the handbook because in my opinion following the default steps can create a potentially dangerous source of information for any intruders.
 
Thanks for the confirmation guys, much appreciated.

Still a bit nervous (probably for nothing), but I just entered my very first PR to bring this issue to the attention of the FreeBSD developers. As soon as I know more (such as a confirmation by e-mail) I'll send in an update.
 
There are a lot of permissions I've changed from their defaults. Most of the files in /etc, /var/log/messages, /var/log/utx.*, /var/run/utx.active, and several others I can't think of at the moment. It's particularly irritating that /var/run/utx.active is made world-readable again when the system starts, even after patching libc to create it with 0640. Some of those things are personal preference, so you really just need to sift through your system files and decide on a case-by-case basis.

Kevin Barry
 
This reminded me the "issue" with /root permissions being 755 by default on FreeBSD. I was not able to find a topic regarding this here on forums, maybe I saw it in mailing list somewhere.

Same goes with user home directories - I'd expect them to be 700 by default.
 
Back
Top