Bug 1062930
| Summary: | audit: Make non-config files world-readable | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Andy Lutomirski <luto> |
| Component: | audit | Assignee: | Steve Grubb <sgrubb> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 20 | CC: | sgrubb |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-02-09 17:55:39 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The permissions are exactly what they have to be. The audit system is not like other parts of the system. It permissions are dictated by the needs for common criteria. I keep fedora and RHEL in sync so there are no surprises. I apologize if this is an inconvenience. Do you have a reference to the relevant CC rules? A quick skim through the docs found nothing remotely relevant. (If you're right, I just lost a considerable amount of respect for CC.) |
audit.spec contains things like: %attr(750,root,root) /sbin/auditctl %attr(750,root,root) /sbin/auditd %attr(750,root,root) /sbin/autrace %attr(750,root,root) /sbin/audispd %attr(750,root,root) /sbin/augenrules %attr(640,root,root) %{_unitdir}/auditd.service %attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/resume %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/restart %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart Please make all of the non-security-sensitive ones world-readable and, if applicable, world-executable. The current configuration adds no security whatsoever (anyone who cares can download those files from the original RPM), but it's annoying. (Once upon a time, it make sense to keep the prelinked versions secret. This is no longer true -- prelinking is more or less dead, having been replaced with PIE.)