Bug 291531 - Process accounting does not create initial pacct file with secure permissions
Summary: Process accounting does not create initial pacct file with secure permissions
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: psacct
Version: 5.1
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Ivana Varekova
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 456414
TreeView+ depends on / blocked
 
Reported: 2007-09-14 19:35 UTC by HMDC Linux Support
Modified: 2013-04-12 19:21 UTC (History)
0 users

Fixed In Version: RHBA-2008-0626
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-30 13:05:06 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0626 0 normal SHIPPED_LIVE psacct bug fix update 2008-07-30 13:05:01 UTC

Description HMDC Linux Support 2007-09-14 19:35:05 UTC
Description of problem:
The process accounting package does not create the initial pacct process
accounting data file with secure permissions. If logrotate is installed,
subsequent pacct files are created with properly secured permissions by
logrotate due to the "create 0600 root root" line in /etc/logrotate.d/psacct,
but the permissions on the first pacct file created remain the same. Due to the
fact that /var/account is readable by all users, the first pacct file created
remains readable by all users. This can disclose sensitive system information to
unprivileged users.

Version-Release number of selected component (if applicable):
This issue is present in the latest released versions of the psacct package for
RHEL v5, v4, and v3:
psacct-6.3.2-41.1
psacct-6.3.2-39.rhel4
psacct-6.3.2-36.rhel3

How reproducible:
Install psacct

Steps to Reproduce:
1. Install psacct
2. ls -l /var/account/pacct
3.
  
Actual results:
/var/account/pacct has octal permissions 644

Expected results:
/var/account/pacct has octal permissions 600

Additional info:
This problem can be corrected by inserting a line in the psacct rpm %post
scriptlet after the line:
touch /var/account/pacct
such as:
chmod 600 /var/account/pacct

Comment 5 errata-xmlrpc 2008-07-30 13:05:06 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0626.html


Note You need to log in before you can comment on or make changes to this bug.