Re: {bb} No messages required... and security

To: bb@bb4.com
Subject: Re: {bb} No messages required... and security
From: Kyle Amon <kyle.amon@sagemaker.com>
Date: Tue, 01 Feb 2000 08:18:09 -0500
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
Organization: Sagemaker
References: <200002011526.KAA04356@www.maclawran.ca> <389703E0.5FF7BC2F@vf.vodafone.co.uk>
Reply-To: bb@bb4.com
Sender: owner-bb@bb4.com

> > A plausible solution would be to create a bigbrother group, and allow
> > the BB group read access to the messages file (or put BB in whatever
> > group the messages file is in).  (That's what groups are for).

Yes, that's what groups are for.  In my config, where httpd runs as
nobody.nogroup, runbb.sh is executed with 'su nobody -c' and $BBHOME is
recursively chowned to nobody.nogroup, I simply 'chgrp nogroup' and
'chmod 640' the messages file.

Of course, if one wants to be really anal, one can create a seperate BB
user and group to use instead of nobody.nogroup and use Apache's SUEXEC
functionality.

> Unfortunately our security chaps etc don;t agree...

Then they're connect-the-dot loosers.  Too bad.  If they were not,
they'd
tell you to properly configure syslog such that the few (very few)
messages
that *might* contain potentially sensitive information (which won't
happen
if you've properly configured your services) do not get logged to the
messages file at all.  Configure syslog such that they get logged to
'auth'
or 'security' files (or whatever) and make these files readable only by
root.
On a properly configured system, the risk involved in allowing world
read
permission on the messages file is exceedingly small.

- Kyle

-- 
Kyle Amon                     email: kyle.amon@sagemaker.com
                              url:   http://www.gnutec.com/~amonk
KeyID 1024/26DD13D9
Fingerprint = 7D 86 D1 AE 4B E9 91 6A  4B BC B5 B4 12 F0 D3 1A
  
"Consider a space station where air must be manufactured at great cost:
charging each breather per liter of air may be fair, but wearing the
metered gas mask all day and all night is intolerable even if everyone
can afford to pay the air bill."
  
                              - Richard Stallman
                                The GNU Manifesto, 1985
  
   Petition to Microsoft Corporation for Open Source Consumer Windows!
        http://www.linuxresources.com/linuxreview/petition.html
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=
To unsubscribe from this list, or to subscribe to the bb-digest list
send e-mail to mailto:majordomo@bb4.com with unsubscribe bb -and/or-
subscribe bb-digest in the BODY of the message.

References:
- Re: {bb} No messages required... and security
  - From: Sean MacGuire <sean@www.maclawran.ca>
- Re: {bb} No messages required... and security
  - From: Ian Diddams <ian.diddams@vf.vodafone.co.uk>

Prev by Date: No Subject
Next by Date: {bb} Re:
Prev by thread: Re: {bb} No messages required... and security
Next by thread: Re:{bb} No messages required... and security
Index(es):
- Date
- Thread

Home | Main Index | Thread Index