Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 35237

Summary: security perms on emerge.log are too lax
Product: Portage Development Reporter: John Davis (zhen) (RETIRED) <zhen>
Component: UnclassifiedAssignee: Portage team <dev-portage>
Status: RESOLVED FIXED    
Severity: enhancement CC: hardened
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description John Davis (zhen) (RETIRED) gentoo-dev 2003-12-06 21:10:17 UTC 
Currently, the perms on /var/log/emerge.log are just 655, the perms should be
something more like 600. Trivial, but something to lock down portage more.

Reproducible: Always
Steps to Reproduce:
1. ls -l /var/log/emerge.log
2.
3.




Portage 2.0.49-r15 (hardened-x86-1.4, gcc-3.2.3, glibc-2.3.2-r3, 2.4.20-gentoo-r7)
=================================================================
System uname: 2.4.20-gentoo-r7 i686 Celeron (Mendocino)
Gentoo Base System version 1.4.3.10
distcc 2.11.1 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O3 -mcpu=i686 -pipe"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config
/usr/kde/2/share/config /usr/kde/3/share/config"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
CXXFLAGS="-O3 -mcpu=i686 -pipe"
DISTDIR="/raid/distfiles"
FEATURES="ccache autoaddcvs sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.oregonstate.edu
http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://192.168.1.1/gentoo-portage"
USE="x86 zlib gdbm berkdb slang readline pam libwww perl python -nls -doc -tcpd
crypt apache2 ssl sasl maildir mysql"
Comment 1 SpanKY gentoo-dev 2003-12-06 21:17:53 UTC 
perhaps chgrp it to portage and then do similar permission settings on /var/db/pkg, /var/cache/edb, etc...
Comment 2 John Davis (zhen) (RETIRED) gentoo-dev 2003-12-06 22:55:09 UTC 
i could, but why doesn't portage do this by default? users that are not in the portage group should not be able to read all of that anyway ...
Comment 3 SpanKY gentoo-dev 2003-12-06 23:08:27 UTC 
i wasnt telling you to do it i was offering other similar improvements :P
Comment 4 John Davis (zhen) (RETIRED) gentoo-dev 2003-12-09 17:29:16 UTC 
added into portage by carpaski