fai log permissions

Holger Parplies wfai at parplies.de
Tue Sep 27 17:43:54 CEST 2011 

Hi,

Toomas Tamm wrote on 2011-09-27 16:38:13 +0300 [Re: fai log permissions]:
> On Tue, 2011-09-27 at 11:35 +0200, Natxo Asenjo wrote:
> > The standard fai log permissions are too generous: 644 for all the log
> > files in /var/log/fai/localhost/install-date. If you use debconf to
> > set passwords, then those passwords are readable to anyone with shell
> > access.
> > 
> > Is this issue still in the most recent fai?

looking through the source
($NFSROOT/live/filesystem.dir/usr/lib/fai/fai-savelog), this seems to have
changed (root:adm, u=rwx,g=rx for the directory). Reality confirms this
observation ;-). You could always change the permissions from a hook - either
run it after task savelog or create /var/log/fai with more restrictive
permissions beforehand.

> While I see how it can be a problem for some use cases, I personally do
> not have any sensitive information in the logs and find it very
> convenient to be able to check the logs while being logged on as myself
> on the FAI server.

The logs on the FAI *server* are a different matter. They seem to be world
readable (but then, /var/log/fai on *my* FAI server was created by an older
version of FAI). Here, likewise, you could set more restrictive permissions
on /var/log/fai or even on specific host subdirectories (just make sure that
$LOGUSER has access).

As for reading the logs, my personal choice is to make myself a member of the
'adm' group (*). That allows for doing routine jobs (also including access to
sensitive system logs) without escalating priviledges and without giving away
access to the information to "just anybody". If 'adm' doesn't fit your needs,
there is no reason not to create a 'fai' or 'fai-log' group for this purpose.
The nice thing about having world readable log *files* is that you can easily
tune access through parent directory permissions without needing to touch the
code creating the log files.

(*) ainsl -s $target/etc/pam.d/common-auth \
        'auth   optional        pam_group.so'
    ainsl -s $target/etc/security/group.conf \
        '*;*;yourusername;Al0000-2400;adm' '\*;\*;yourusername;Al0000-2400;adm'

> If any changes are planned in the permissions of the
> logs, please make it a user-configurable option rather than hard-coding
> any specific value.

I like the current behaviour. Sensible restrictive defaults on the directory,
flexible world read permissions on the files inside it.

Regards,
Holger

More information about the linux-fai mailing list