Subject: Re: misc/18670: lastlog has bad permissions by default
To: gabriel rosenkoetter <gr@eclipsed.net>
From: Greg A. Woods <woods@weird.com>
List: netbsd-bugs
Date: 10/16/2002 15:07:53
[ On Wednesday, October 16, 2002 at 14:37:28 (-0400), gabriel rosenkoetter wrote: ]
> Subject: Re: misc/18670: lastlog has bad permissions by default
>
> On Wed, Oct 16, 2002 at 12:23:01PM -0400, Greg A. Woods wrote:
> > The file /var/log/lastlog is written to by the same programs that write
> > to /var/log/wtmp and it must have the same permissions and ownerships.
> 
> Why should the group write bit not be the same, then?
> 
> /var/log/wtmp has 0644 permissions under NetBSD by default, so
> whatever's writing to it has root permission. Why should lastlog be
> any different?

Sorry, I really meant to point to /var/run/utmp, not /var/log/wtmp!

/var/log/lastlog should not be any different than either /var/log/wtmp
or /var/run/utmp.  I.e. they're all written by the same programs and
should all have the same permissions and ownerships.

I.e. the ownership of /var/log/wtmp is also not correct.  :-)

There is already an existing 'utmp' group (and IIRC has been for a very
long time, certainly since the first 4.4BSD-Lite release).

Currently, unfortunately, only /var/run/utmp uses this group.

However there are some programs which write to wtmp and lastlog and
which do not really need to be run as root for any other reason.  I've
had some success with using the existing "utmp" group and lowering their
set-user-id root privileges to set-group-id utmp (and of course giving
all the relevant files the appropriate group owner and permissions).

(Unfortunately most such programs need fixes to the pty interface before
they can truly give up their silly set-user-id root nature, eg. xterm)

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>