> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of RB > Sent: Thursday, April 09, 2009 2:34 PM > To: rsyslog-users > Subject: Re: [rsyslog] wrong permissons on directories > > On Thu, Apr 9, 2009 at 06:19, Rainer Gerhards <[email protected]> > wrote: > > In other words: I am not yet fully convinced (even not after reading > the rest > > of your post ;)). But I am getting closer to being convinced ;) > > :) I haven't any further arguments, so we may have to stop halfway.
Maybe some other folks cast their ballot - but it was probably not smart to send this mail directly before easter ;) > As a security "professional" (whatever that ends up meaning) I tend to > prefer developers allow me to make that choice, Actually, it is your choice. Let me explain, in case there is a misunderstanding. You have full control over the directory permissions, via the $DirCreateMode [1] directive. For example, Michael Biebl was so smart to include a "$DirCreateMode 0755" in the standard Debian configuration, so it almost is a no-issue there. What I am talking about is the default for this setting, the case when nothing was specified by the user. > but understand the > balance you have to make between that and helping your users make wise I am not talking about wise vs. unwise decisions. My concern is that in current releases, the default is off, but it also means it is somewhat strict. If I now change the default (which would be wise), it may result in relaxed access control permissions. And as this affects users who so far did not care at all about the permissions, those users may never know - that is what triggers some "bad feelings" inside me. As a side-note, I wonder if a default of 0700 might be even wiser than "755". Who doesn't like that can override it. As the default is probably "pain in the a..." for people, they would possibly begin thinking about that aspect (but on the other hand I already envison all those smart web sites that tell you just to use "$DirCreateMode 0777" to "fix the issue" - so this may even be less useful than starting with 755 in the first place. The more I think about it, this whole issue is much less about technical defaults but more about human nature ;) > (if erring on the side of cautious) decisions, particularly with > "legacy" software. I hope this clarifies, Rainer [1] http://www.rsyslog.com/doc-rsconf1_dircreatemode.html _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
