Red Hat Bugzilla – Bug 291531
Process accounting does not create initial pacct file with secure permissions
Last modified: 2013-04-12 15:21:30 EDT
Description of problem: The process accounting package does not create the initial pacct process accounting data file with secure permissions. If logrotate is installed, subsequent pacct files are created with properly secured permissions by logrotate due to the "create 0600 root root" line in /etc/logrotate.d/psacct, but the permissions on the first pacct file created remain the same. Due to the fact that /var/account is readable by all users, the first pacct file created remains readable by all users. This can disclose sensitive system information to unprivileged users. Version-Release number of selected component (if applicable): This issue is present in the latest released versions of the psacct package for RHEL v5, v4, and v3: psacct-6.3.2-41.1 psacct-6.3.2-39.rhel4 psacct-6.3.2-36.rhel3 How reproducible: Install psacct Steps to Reproduce: 1. Install psacct 2. ls -l /var/account/pacct 3. Actual results: /var/account/pacct has octal permissions 644 Expected results: /var/account/pacct has octal permissions 600 Additional info: This problem can be corrected by inserting a line in the psacct rpm %post scriptlet after the line: touch /var/account/pacct such as: chmod 600 /var/account/pacct
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0626.html