Bug 1062930 - audit: Make non-config files world-readable
Summary: audit: Make non-config files world-readable
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: audit
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Steve Grubb
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-08 20:35 UTC by Andy Lutomirski
Modified: 2014-02-09 18:02 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-02-09 17:55:39 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Andy Lutomirski 2014-02-08 20:35:07 UTC
audit.spec contains things like:

%attr(750,root,root) /sbin/auditctl
%attr(750,root,root) /sbin/auditd
%attr(750,root,root) /sbin/autrace
%attr(750,root,root) /sbin/audispd
%attr(750,root,root) /sbin/augenrules
%attr(640,root,root) %{_unitdir}/auditd.service
%attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/resume
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/restart
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart

Please make all of the non-security-sensitive ones world-readable and, if applicable, world-executable.

The current configuration adds no security whatsoever (anyone who cares can download those files from the original RPM), but it's annoying.

(Once upon a time, it make sense to keep the prelinked versions secret.  This is no longer true -- prelinking is more or less dead, having been replaced with PIE.)

Comment 1 Steve Grubb 2014-02-09 17:55:39 UTC
The permissions are exactly what they have to be. The audit system is not like other parts of the system. It permissions are dictated by the needs for common criteria. I keep fedora and RHEL in sync so there are no surprises. I apologize if this is an inconvenience.

Comment 2 Andy Lutomirski 2014-02-09 18:02:19 UTC
Do you have a reference to the relevant CC rules?  A quick skim through the docs found nothing remotely relevant.

(If you're right, I just lost a considerable amount of respect for CC.)


Note You need to log in before you can comment on or make changes to this bug.