Summary: | information disclosure of the IP address of all connected users to all simple users | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | William Waisse <bugs.gentoo.org> |
Component: | Default Configs | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | bugs.gentoo.org, jaak, kensington, taaroa |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
William Waisse
2012-08-16 13:46:08 UTC
same problem for /var/log/wtmp and the last command chmod 550 /var/log/wtmp /var/run/utmp should be a default to protect user privacy ( not disclosing all the ips of all users to all users ) Another thing, netstat and ps information disclosures are not a problem for me since those are kernel side and blocked by a good grsecurity configuration, but utmp and wtmp are not kenrel stuff , so its not grsec s job to fix it If some consider its a "feature" that any user can easily get ( and spy ) the ip addresses of all other users on the same linux box, perhaps this could be a fix only for the hardened gentoo flavour. Please note that changing the group ownership to 'adm' as you suggest would break at least net-misc/screen and sys-libs/utempter (required by xterm, kdelibs and others), which are setgid utmp. (In reply to comment #3) > Please note that changing the group ownership to 'adm' as you suggest would > break at least net-misc/screen and sys-libs/utempter (required by xterm, > kdelibs and others), which are setgid utmp. yup adm group was just a first idea/workaround I tried I finally did : ls -al /var/run/utmp -r-xr-x--- 1 root utmp 20352 Aug 16 17:38 /var/run/utmp chmod 550 /var/run/utmp ( same thing for /var/log/wtmp ) and screen is still working here : scren -ls 2 Sockets in /var/run/screen/username scren seems to make it well and use per user /var/run/screen/username and NOT /var/run/utmp perhaps I missed something for screen, but it seems 100 % ok here, probably thanks to this utmp setgid ;) I dont know for utempter This all seems fixed to me: -rwxr-xr-x 1 root root 51792 Feb 25 12:51 /usr/bin/who -rw-rw-r-- 1 root utmp 179712 Mar 17 16:57 /var/log/wtmp -rw-rw-r-- 1 root utmp 2304 Mar 17 16:57 /var/run/utmp Anyone still reporting otherwise? |