Bug 456414
| Summary: | psacct: Process accounting does not create initial pacct file with secure permissions | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | varekova |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | psacct-6.3.2-44.el5.rpm | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-07-23 14:34:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 291531 | ||
| Bug Blocks: | |||
Description of problem: The process accounting package does not create the initial pacct process accounting data file with secure permissions. If logrotate is installed, subsequent pacct files are created with properly secured permissions by logrotate due to the "create 0600 root root" line in /etc/logrotate.d/psacct, but the permissions on the first pacct file created remain the same. Due to the fact that /var/account is readable by all users, the first pacct file created remains readable by all users. This can disclose sensitive system information to unprivileged users. Steps to Reproduce: 1. Install psacct 2. ls -l /var/account/pacct Proposed .spec file patch: * creating pacct file with secure (0600) permissions touch %{accounting_logdir}/pacct chmod 600 %{accounting_logdir}/pacct * ghosting %attr(0600,root,root) %ghost %config %{accounting_logdir}/pacct