Bug 291531 - Process accounting does not create initial pacct file with secure permissions
Process accounting does not create initial pacct file with secure permissions
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: psacct (Show other bugs)
5.1
All Linux
medium Severity high
: ---
: ---
Assigned To: Ivana Varekova
:
Depends On:
Blocks: 456414
  Show dependency treegraph
 
Reported: 2007-09-14 15:35 EDT by HMDC Linux Support
Modified: 2013-04-12 15:21 EDT (History)
0 users

See Also:
Fixed In Version: RHBA-2008-0626
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-30 09:05:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description HMDC Linux Support 2007-09-14 15:35:05 EDT
Description of problem:
The process accounting package does not create the initial pacct process
accounting data file with secure permissions. If logrotate is installed,
subsequent pacct files are created with properly secured permissions by
logrotate due to the "create 0600 root root" line in /etc/logrotate.d/psacct,
but the permissions on the first pacct file created remain the same. Due to the
fact that /var/account is readable by all users, the first pacct file created
remains readable by all users. This can disclose sensitive system information to
unprivileged users.

Version-Release number of selected component (if applicable):
This issue is present in the latest released versions of the psacct package for
RHEL v5, v4, and v3:
psacct-6.3.2-41.1
psacct-6.3.2-39.rhel4
psacct-6.3.2-36.rhel3

How reproducible:
Install psacct

Steps to Reproduce:
1. Install psacct
2. ls -l /var/account/pacct
3.
  
Actual results:
/var/account/pacct has octal permissions 644

Expected results:
/var/account/pacct has octal permissions 600

Additional info:
This problem can be corrected by inserting a line in the psacct rpm %post
scriptlet after the line:
touch /var/account/pacct
such as:
chmod 600 /var/account/pacct
Comment 5 errata-xmlrpc 2008-07-30 09:05:06 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0626.html

Note You need to log in before you can comment on or make changes to this bug.