On Tue, 09.10.12 10:31, Matthew Miller (mat...@fedoraproject.org) wrote: > On Tue, Oct 09, 2012 at 04:05:10PM +0200, Lennart Poettering wrote: > > On Tue, 09.10.12 09:49, Matthew Miller (mat...@fedoraproject.org) wrote: > > > allowing regular users to do so. (Commonly currently accomplished by > > > making > > > /var/log/messages owned and readable by the wheel group.) > > The HTTP thingy is not really how admins should access the logs. They > > should just use journalctl. > > On a related but tangental note: I notice that journalctl allows access to > members of the admin group by default.
Well, I'd say this differently: we _restrict_ access to "adm", in contrast to the previous logic where everybody was allowed to read /var/log/messages and only root /var/log/secure. > In Fedora for the past few releases > we've followed the tradition of making "wheel" the admin group -- see > http://docs.fedoraproject.org/en-US/Fedora/17/html/Installation_Guide/sn-firstboot-systemuser.html > This is also the case in RHEL 6, so changes here have downstream > implications. The way I see this is that "wheel" allows you to *do* privileged things, but "adm" allows you to *see* privileged things. Note that "adm" has been widely used for the log purpose on other Linux distros, most notably Debian and its descendents. On Debian /var/log/messages defaulted to being private to "adm", and we kinda wanted to unify things here and though the Debian default is much nicer than the Fedora default of world-readability of logs, from a security PoV. > Could we make that a default on Fedora in addition to adm? (I assume this is > polkit but can't see it offhand -- hmmm... looks to be hard-coded in the > source?) I don't really have a strong opinion about whether adm should work > or not, but wheel should. Well, we could of course add this as ACL, but I wonder if it wouldn't be nicer to declare that "adm" is for seeing, and "wheel" for doing as I suggested above. > Second, there's a traditional separation between /var/log/secure and > /var/log/messages. Crucially, the "secure" log may contain > accidentally-typed user passwords and other privacy-sensitive information. > How can we do something similar with the systemd journal and > journalctl? As mentioned no system messages are user-readable by default in the journal. We are more secure by default with the journal. > Ideally, the /var/log/messages data would be available to members of the > admin group without extra authentication, but seeing the potentially-privacy > sensitive /var/log/secure should require re-authentication. (As a sysadmin, > I should be able to safely look at message data with a user looking over my > shoulder, so I can help them without possibly exposing private information > about other users on the system.) Well, honestly the old secure vs. messages split is kinda broken, simply because old syslog didn't check the originator of messages and hence unprivileged processes could get have their data spill into the presumed "secure" logs. Splitting this of based on the "facility" field is fake securety, and we don't do "fake security" anymore with the journal. Lennart -- Lennart Poettering - Red Hat, Inc. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
