From ipfw@ya3.so-net.ne.jp  Fri Feb 23 15:19:25 2001
Return-Path: <ipfw@ya3.so-net.ne.jp>
Received: from mgate08.so-net.ne.jp (mgate08.so-net.ne.jp [210.139.254.155])
	by hub.freebsd.org (Postfix) with ESMTP id 2E8F937B401
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 23 Feb 2001 15:19:24 -0800 (PST)
	(envelope-from ipfw@ya3.so-net.ne.jp)
Received: from mail.ya3.so-net.ne.jp (mspool11.so-net.ne.jp [210.139.248.11])
	by mgate08.so-net.ne.jp (8.8.8+3.0Wbeta9/3.6W01022316) with ESMTP id IAA03855
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 24 Feb 2001 08:19:22 +0900 (JST)
Received: from localhost (p78a3bd.kngwnt01.ap.so-net.ne.jp [61.120.163.189])
	by mail.ya3.so-net.ne.jp (8.9.3/3.7W01022316) with ESMTP id IAA20348
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 24 Feb 2001 08:19:21 +0900 (JST)
Message-Id: <20010224082444P.ipfw@ya3.so-net.ne.jp>
Date: Sat, 24 Feb 2001 08:24:44 +0900
From: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp>
Sender: ipfw <ipfw@ya3.so-net.ne.jp>
To: FreeBSD-gnats-submit@freebsd.org
Subject: Deprecated permission of /var/log/console.log
X-Send-Pr-Version: 3.113

>Number:         25329
>Category:       bin
>Synopsis:       The current default permission of /var/log/console.log is depricated
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 23 15:20:00 PST 2001
>Closed-Date:    Mon May 28 13:54:44 PDT 2001
>Last-Modified:  Mon May 28 13:55:10 PDT 2001
>Originator:     Yoshihiro Koya
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
Yokohama City Univ. Dept. of Math. Sci.
>Environment:
System: FreeBSD current.my.domain 5.0-CURRENT FreeBSD 5.0-CURRENT #1: Sun Feb 18 22:47:43 JST 2001 root@current.my.domain:/usr/obj/usr/src/sys/current i386


Also on 4-stable as of Feb 23
>Description:
The default permission assumed in /etc/newsyslog.conf 
of /var/log/console.log is 640.
But mode 600 is more secure than current default permisson.
Actually, those of /var/log/mount.{today,yesterday} or 
/var/log/setuid.{today,yesterday} is also 600.

The reason whay this permisson is deperecate is as follows:

# su -l
(become root)
# shutdown now
(go into the single usermode)
# /bin/cat /etc/master.passwd
(the contents of /etc/master.passwd is here)
# exit
(go into the multi user mode again)
(after loggin in as a usual user belonging to wheel)
% cat /var/log/console.log
(you may find the contents of /etc/master.passwd)

Everything done by root during the single user mode
can be viewed via /var/log/console.log.

>How-To-Repeat:
>Fix:

At least, the following modification seems to be required.

--- newsyslog.conf.orig	Sat Feb 24 08:16:58 2001
+++ newsyslog.conf	Sat Feb 24 08:18:53 2001
@@ -17,4 +17,4 @@
 /var/log/daily.log			640  7	   *	@T00  Z
 /var/log/weekly.log			640  5	   1	$W6D0 Z
 /var/log/monthly.log			640  12	   *	$M1D0 Z
-/var/log/console.log			640  5     100	*     Z
+/var/log/console.log			600  5     100	*     Z
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: phk 
State-Changed-When: Mon May 28 13:54:44 PDT 2001 
State-Changed-Why:  
fixed in current, MFC scheduled. 

Thanks 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=25329 
>Unformatted:
