507436 – app-forensics/lynis should set limited read permissions for /etc/lynis/default.prf

Bug 507436 - app-forensics/lynis should set limited read permissions for /etc/lynis/default.prf

Summary: app-forensics/lynis should set limited read permissions for /etc/lynis/defaul...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Christian Ruppert (idl0r)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-04-11 16:53 UTC by Toralf Förster
Modified:	2014-04-11 18:39 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Toralf Förster gentoo-dev

2014-04-11 16:53:03 UTC

I was just wondering about the differences :


$ ls -l /var/log/lynis*
-rw-r----- 1 root root 407830 Apr  5 16:22 /var/log/lynis.log
-rw-r----- 1 root root  20643 Apr  5 16:22 /var/log/lynis-report.dat

$ ls -l /etc/lynis/default.prf
-rw-r--r-- 1 root root 10356 Apr 11 00:04 /etc/lynis/default.prf

I contacted the author of lynis and he confirmed that the weak perms came from the Gentoo install method rather than from a lynis installer itself.

 
>Hi Toralf,
>
>In that case it is better to report it to the Gentoo package maintainer >directly.
>I agree that normal users should not be able to see configuration files, if not >necessary to run the software ;-)
>
>Kind regards,
>
>Michael

Comment 1 Christian Ruppert (idl0r) gentoo-dev

2014-04-11 18:39:42 UTC

Hi Toralf,

I adjusted the default perms in 1.5.0-r1 to be more strict. You may have to unmerge lynis first as it wont override the permissions.
Thanks!