> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of RB > Sent: Thursday, April 09, 2009 2:15 PM > To: rsyslog-users > Subject: Re: [rsyslog] wrong permissons on directories > > On Thu, Apr 9, 2009 at 02:58, Rainer Gerhards <[email protected]> > wrote: > > the current default does not work well, but it is extremely > restrictive. So > > It's not that it doesn't work well, it honestly doesn't work at all.
Well... that's the issue that I see. It works, as rsyslog usually runs as root. Granted, nobody but root can read the directories, but this is exactly what I meant with being restrictive. If we fix this issue, we permit access to these directories and as such are more open than before. I wouldn't be arguing so hard if it were not a potential security issue... In other words: I am not yet fully convinced (even not after reading the rest of your post ;)). But I am getting closer to being convinced ;) Rainer > A directory in UNIX without execute permissions is effectively > inaccessible to any non-root user, encouraging less-knowledgeable > admins to just run everything as root. > > > Has anyone an opinion on that? And I'll probably go for the v4-only > change if > > nobody convinces me that there is no security risk... > > The only risk is that users originally granted permission to use a > directory may actually be allowed to do so. If a user's data is > sufficiently sensitive that such a change would unacceptably expose > it, my bet is that they have already changed the permissions to > something even more restrictive. I wouldn't suggest making the change > if it's the only one you need to make to v2, but if there are others > pending it would be a wise addition IMHO. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
