[Logcheck-devel] Bug#252784: logcheck: /etc/logcheck/* should be world-readable

Justin B Rye jbr at edlug.org.uk
Sat Jun 5 01:11:41 UTC 2004


Package: logcheck
Version: 1.2.20a
Severity: normal
Tags: patch

The archived logcheck-database bug #209048:
"logcheck directories should be readable by group adm"
claims to have been resolved; if you want to revive that one and
merge this with it, go ahead, but note the more ambitious subject.

The chgrp/chmod commands in logcheck.postinst currently set badly
incoherent permissions: on the one hand, the files in /etc/logcheck
are world-readable; on the other hand, the subdirectories are all
"750 root:logcheck", so a mere adm-group member can't so much as
list the rules files. 

Unreadability is pointless in files anyone can download copies of.
And once that's fixed, the logcheck-group ownership is redundant.
So what they really ought to be is something like "755 root:root".
Suggested patch (against the logcheck-1.2.21 version) attached.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable')
Architecture: i386 (i586)
Kernel: Linux 2.6.6
Locale: LANG=en_GB, LC_CTYPE=en_GB

Versions of packages logcheck depends on:
ii  adduser          3.53                    Add and remove users and groups
ii  cron             3.0pl1-83               management of regular background p
ii  debconf [debconf 1.4.25                  Debian configuration management sy
ii  debianutils      2.8.2                   Miscellaneous utilities specific t
ii  exim4            4.32-2                  An MTA (Mail Transport Agent)
ii  exim4-daemon-lig 4.32-2                  Lightweight version of the Exim (v
ii  lockfile-progs   0.1.10                  Programs for locking and unlocking
ii  logcheck-databas 1.2.20a                 A database of system log rules for
ii  logtail          1.2.20a                 Returns parts of logfiles that hav
ii  mailx            1:8.1.2-0.20031014cvs-2 A simple mail user agent
ii  sysklogd [system 1.4.1-10                System Logging Daemon

-- debconf information:
  logcheck/changes: 
* logcheck/install-note: 

-- 
JBR
Ankh kak! (Ancient Egyptian blessing)
-------------- next part --------------
--- logcheck.postinst.old	2004-06-05 01:29:21.000000000 +0100
+++ logcheck.postinst.new	2004-06-05 01:34:59.000000000 +0100
@@ -45,15 +45,9 @@
     	  chown -R logcheck:logcheck /var/lib/logcheck  || true
           chown -R logcheck:logcheck /var/state/logcheck > /dev/null 2>&1 \
 	      || true
-          chgrp -R logcheck /etc/logcheck || true
-          chmod 750 /etc/logcheck/ignore.d.paranoid || true
-          chmod 750 /etc/logcheck/ignore.d.workstation || true
-          chmod 750 /etc/logcheck/ignore.d.server || true
-          chmod 750 /etc/logcheck/cracking.d || true
-          chmod 750 /etc/logcheck/cracking.ignore.d || true
-          chmod 750 /etc/logcheck/violations.d || true
-          chmod 750 /etc/logcheck/violations.ignore.d || true
-    	  chmod -R g+rX /etc/logcheck || true
+          chown -R root:root /etc/logcheck || true
+          chmod -R +r /etc/logcheck || true
+          chmod +x /etc/logcheck/*.d* || true
           # just in case
           chown logcheck /var/lock/logcheck > /dev/null 2>&1 || true
 	fi


More information about the Logcheck-devel mailing list