Bug#290803: marked as done (login: /var/log/btmp is created with insecure permissions)

[Debian Bug Tracking System]

Your message dated Sun, 16 Jan 2005 15:37:56 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#290803: login: /var/log/btmp is created with insecure 
permissions
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Jan 2005 19:52:14 +0000
>From [EMAIL PROTECTED] Sun Jan 16 11:52:14 2005
Return-path: <[EMAIL PROTECTED]>
Received: from alpha.it.teithe.gr [195.251.240.232] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1CqGRa-0000o4-00; Sun, 16 Jan 2005 11:52:14 -0800
Received: from archimedes.it.teithe.gr (archimedes.it.teithe.gr 
[195.251.123.237])
        by alpha.it.teithe.gr (8.12.10/8.12.10) with ESMTP id j0GJq4AC005583;
        Sun, 16 Jan 2005 21:52:05 +0200 (EET)
Received: from archimedes.it.teithe.gr (localhost.localdomain [127.0.0.1])
        by archimedes.it.teithe.gr (8.13.2/8.13.2/Debian-1) with ESMTP id 
j0GJpiql020852;
        Sun, 16 Jan 2005 21:51:44 +0200
Received: (from [EMAIL PROTECTED])
        by archimedes.it.teithe.gr (8.13.2/8.13.2/Submit) id j0GJpiib020851;
        Sun, 16 Jan 2005 21:51:44 +0200
Message-Id: <[EMAIL PROTECTED]>
X-Authentication-Warning: archimedes.it.teithe.gr: v13 set sender to [EMAIL 
PROTECTED] using -f
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Stefanos Harhalakis <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: login: /var/log/btmp is created with insecure permissions
X-Mailer: reportbug 3.2
Date: Sun, 16 Jan 2005 21:51:44 +0200
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.8 required=4.0 tests=BAYES_00,FROM_ENDS_IN_NUMS,
        HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: login
Version: 1:4.0.3-30.7
Severity: critical
Tags: security
Justification: root security hole


It seems that /var/log/btmp is created as a world readable file.
This is insecure (and it is reported by 'tiger') because this file
contains failed logins , including unknown usernames. It is possible
for a user to see the root password (and others too) by running /usr/bin/lastb.

Tiger reports this as an error:

# Checking for existence of log files...
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660 

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686-smp
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages login depends on:
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-22      Pluggable Authentication Modules f
ii  libpam-runtime              0.76-22      Runtime support for the PAM librar
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l

-- no debconf information

---------------------------------------
Received: (at 290803-done) by bugs.debian.org; 16 Jan 2005 20:38:02 +0000
>From [EMAIL PROTECTED] Sun Jan 16 12:38:02 2005
Return-path: <[EMAIL PROTECTED]>
Received: from stratton-four-forty-two.mit.edu (cz.mit.edu) [18.187.6.187] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1CqH9u-000161-00; Sun, 16 Jan 2005 12:38:02 -0800
Received: by cz.mit.edu (Postfix, from userid 8042)
        id 71FA7E0063; Sun, 16 Jan 2005 15:37:56 -0500 (EST)
To: Stefanos Harhalakis <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: Bug#290803: login: /var/log/btmp is created with insecure
 permissions
References: <[EMAIL PROTECTED]>
From: Sam Hartman <[EMAIL PROTECTED]>
Date: Sun, 16 Jan 2005 15:37:56 -0500
In-Reply-To: <[EMAIL PROTECTED]> (Stefanos
 Harhalakis's message of "Sun, 16 Jan 2005 21:51:44 +0200")
Message-ID: <[EMAIL PROTECTED]>
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

>>>>> "Stefanos" == Stefanos Harhalakis <[EMAIL PROTECTED]> writes:


    Stefanos> It seems that /var/log/btmp is created as a world
    Stefanos> readable file.  This is insecure (and it is reported by
    Stefanos> 'tiger') because this file contains failed logins ,
    Stefanos> including unknown usernames. It is possible for a user
    Stefanos> to see the root password (and others too) by running
    Stefanos> /usr/bin/lastb.

Hmm, looks to me like unknown user names are logged  as unknown.

UNKNOWN                                Sun Jan 16 13:08 - 13:08  (00:00)
hartmans                               Sun Jan 16 13:07 - 13:07  (00:00)
hartmans                               Thu Jan 13 13:37 - 13:37  (00:00)
UNKNOWN                                Sat Jan  8 17:03 - 17:03  (00:00)
UNKNOWN                                Sat Jan  8 17:03 - 17:03  (00:00)
hartmans                               Sat Jan  8 17:02 - 17:02  (00:00)
UNKNOWN                                Thu Jan  6 15:49 - 15:49  (00:00)
UNKNOWN                                Thu Jan  6 15:49 - 15:49  (00:00)
UNKNOWN                                Thu Jan  6 15:48 - 15:48  (00:00)
hartmans                               Thu Jan  6 11:03 - 11:03  (00:00)
hartmans                               Wed Jan  5 14:23 - 14:23  (00:00)
hartmans                               Tue Jan  4 11:50 - 11:50  (00:00)
UNKNOWN                                Tue Dec 28 12:47 - 12:47  (00:00)
UNKNOWN                                Tue Dec 28 12:47 - 12:47  (00:00)
UNKNOWN                                Fri Dec 17 15:33 - 15:33  (00:00)
UNKNOWN                                Fri Dec 17 15:33 - 15:33  (00:00)
UNKNOWN                                Fri Dec 17 14:08 - 14:08  (00:00)
hartmans                               Fri Dec 17 12:16 - 12:16  (00:00)
UNKNOWN                                Fri Dec 17 12:16 - 12:16  (00:00)
hartmans                               Fri Dec 17 12:15 - 12:15  (00:00)
UNKNOWN                                Fri Dec 17 09:30 - 09:30  (00:00)
hartmans                               Fri Dec 17 05:40 - 05:40  (00:00)
hartmans                               Thu Dec 16 22:41 - 22:41  (00:00)
hartmans                               Thu Dec 16 11:03 - 11:03  (00:00)
UNKNOWN                                Wed Dec 15 14:15 - 14:15  (00:00)
UNKNOWN                                Wed Dec 15 14:15 - 14:15  (00:00)
hartmans                               Wed Dec 15 14:15 - 14:15  (00:00)
hartmans                               Wed Dec 15 12:01 - 12:01  (00:00)
hartmans                               Tue Dec 14 13:04 - 13:04  (00:00)
UNKNOWN                                Sun Dec 12 09:22 - 09:22  (00:00)
hartmans                               Sun Dec 12 09:22 - 09:22  (00:00)
hartmans                               Fri Dec 10 13:05 - 13:05  (00:00)

btmp begins Fri Dec 10 13:05:24 2004

Tiger and cops and that line of tools are notorious for reporting
things as errors that simply are not.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]