[sudo-users] disable logging to /var/log/messages
Russell Van Tassell
russell+sudo-users at loosenut.com
Mon Aug 29 15:21:46 EDT 2005
On Sun, Aug 28, 2005 at 10:28:06AM +0200, Francesco Turco wrote:
> Matthew Stier ha scritto:
>
> >Not a feature most people would want in a security program.
> >
> >Are you sure you need to run it as 'root'.
> >Does a 'group' have "read" permissions to that device? Have you
> >considered setting the executable set group ID to that group?
>
> fctk at thorium ~ $ ls -l /dev/hda
> brw-rw---- 1 root root 3, 0 28 ago 2005 /dev/hda
>
> fctk at thorium ~ $ ls -l /usr/sbin/hddtemp
> -rwxr-xr-x 1 root root 21504 16 ago 20:30 /usr/sbin/hddtemp
>
> how can i do to realize what you suggested?
Just run:
sudo chmod g+s /usr/sbin/hddtemp
...then it'll be setgid, which should have read access to /dev/hda and
then shouldn't need root (though technically it'll be running under GID
root, which opens up a few other possible holes, too).
You *might* also be able to do something like the following for your
monitoring user (in the sudoers file) so-as to avoid logging:
Defaults>monuser !syslog=local7
...then make sure that facility is logging to /dev/null. The caveat
with this (other than the fact that it may *not* work, there) is that
you will now lose *all* messages generated by that user (so you can miss
attacks like someone trying to chain sudo to acquire root).
But, perhaps a sillier question... why are you running the command every
second? Most trending routines (much less efficient monitoring systems
won't like any delta under a minute, much less five). Sorry, just a
random passing thought...
--
Russell M. Van Tassell
russell at loosenut.com
"I love deadlines. I especially like the whooshing sound they make as
they go flying by."
More information about the sudo-users
mailing list