-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why does tmpfiles want the "utmp" group for /var/log/btmp ? #6994
Comments
it has been that way since f448d9e was merged. The group "utmp" is used for permitting tools to modify these databases without having to be root. But you are right 0600 makes little sense for btmp. we should probably bump that to 0660 |
As discussed in systemd#6994. Fixes: systemd#6994
I prepped #6997 now, which adjusts the file mode to make things less contradictory. With that patch in place "utmp" members can now manipulate all four databases, which appears to be what the internet assumes the group does and what traditionally was implemented by most distros. (for example, it is implied by this CVE: https://www.exploit-db.com/exploits/17147/) |
why the permission of /var/log/btmp cannot be 0664 , just like /var/log/wtmp? |
@fayeinseu Historically, because btmp logs usernames for bad login attempts, and one common login failure involves a user typing part or all of their password as their username. |
We have in tmpfiles.d/var/conf.my:
What exactly the purpose of setting
utmp
group on /var/log/btmp as:with mode 600 it doesn't really make sense to have something else but
root
the group
utmp
is only used to allow the utempter program to update /run/utmp (resp wtmp). utempter doesn't even touch /var/log/btmp.Thanks for any suggestions.
The text was updated successfully, but these errors were encountered: