FS#2772 - /var/log/btmp has wrong permissions for sshd
Attached to Project:
Arch Linux
Opened by Rafal Szczepaniak (lanrat) - Saturday, 28 May 2005, 23:47 GMT
Last edited by Dale Blount (dale) - Wednesday, 21 December 2005, 19:54 GMT
Opened by Rafal Szczepaniak (lanrat) - Saturday, 28 May 2005, 23:47 GMT
Last edited by Dale Blount (dale) - Wednesday, 21 December 2005, 19:54 GMT
|
Details
I have sshd running on the server.
There are many ssh login attempts (brute force) logged in /var/log/auth.log. But with every login attempt there is also a message: Excess permission or bad ownership on file /var/log/btmp So, sshd complains about permissions to this file which are: ls -l /var/log/btmp -rw-r--r-- 1 root root 0 2004-11-14 17:34 /var/log/btmp This also makes lastb command (shows failed login attempts) useless becasue it's using an empty btmp file. I've googled around and found similar redhat bug report: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156900 with a workaround: chmod 0600 /var/log/btmp I've tried it and it seems to work. Simulated failed login is now beeing printed by lastb command. pacman -Qo /var/log/btmp returns: No package owns /var/log/btmp so I don't know when and by what this file is created (it's possible that it was created just by using lastb command for the first time but the date is quite old). There is also a security risk if /var/log/btmp is world readable. Other programs may accept current permissions and the common mistake is to use password in place of a login name which will be logged in this file too and available for all users :-) |
This task depends upon
Shall I restrict permissions on the other 3 files created by filesystem also? lastlog, wtmp, utmp?
It would only brake a few utils (for non-root users) like w, who, users, last etc. etc.
Information from these logs is also available in other places.
I found a good description what would happen:
http://www.monkey.org/openbsd/archive2/misc/200205/msg00373.html
So 644 seems to be fine for these files.