/var/log/ directory is readable only by root #10015
Assignees
Labels
Comments
saiarcot895
added a commit
to saiarcot895/sonic-buildimage
that referenced
this issue
Feb 18, 2022
PR sonic-net#9481 changed auditd's log directory to be /var/log instead of /var/log/audit, because SONiC mounts a disk image at /var/log during runtime, and so the /var/log/audit directory might not exist (since it would've been created during package installation, mounting another partition at /var/log will hide it). However, for security reasons, auditd changes the log directory to have 0750 permissions, so that not everyone knows about the audit logs or read them. To fix this, revert the change to auditd's log directory, and tell systemd to create the audit log directory at runtime if it doesn't exist. Because the disk image gets mounted during initramfs (before systemd starts), systemd will make sure that the /var/log/audit directory will exist. Fixes sonic-net#9548 and sonic-net#10015 Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
6 tasks
6 tasks
saiarcot895
added a commit
that referenced
this issue
Feb 28, 2022
…55 (#10031) PR #9481 changed auditd's log directory to be /var/log instead of /var/log/audit, because SONiC mounts a disk image at /var/log during runtime, and so the /var/log/audit directory might not exist (since it would've been created during package installation, mounting another partition at /var/log will hide it). However, for security reasons, auditd changes the log directory to have 0750 permissions, so that not everyone knows about the audit logs or read them. To fix this, revert the change to auditd's log directory, and tell systemd to create the audit log directory at runtime if it doesn't exist. Because the disk image gets mounted during initramfs (before systemd starts), systemd will make sure that the /var/log/audit directory will exist. Fixes #9548 and #10015 Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
judyjoseph
pushed a commit
that referenced
this issue
Mar 7, 2022
…55 (#10031) PR #9481 changed auditd's log directory to be /var/log instead of /var/log/audit, because SONiC mounts a disk image at /var/log during runtime, and so the /var/log/audit directory might not exist (since it would've been created during package installation, mounting another partition at /var/log will hide it). However, for security reasons, auditd changes the log directory to have 0750 permissions, so that not everyone knows about the audit logs or read them. To fix this, revert the change to auditd's log directory, and tell systemd to create the audit log directory at runtime if it doesn't exist. Because the disk image gets mounted during initramfs (before systemd starts), systemd will make sure that the /var/log/audit directory will exist. Fixes #9548 and #10015 Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Steps to reproduce the issue:
Describe the results you received:
/var/loghas 0700 permissions, which means only root can access the directory. In previous images, all users could access the directory and at least list the files in there.Describe the results you expected:
/var/logshould have 0755 permissions.Output of
show version:Output of
show techsupport:N/A
Additional information you deem important (e.g. issue happens only occasionally):
The text was updated successfully, but these errors were encountered: