# Possible security flaw with Accounting (default setup)



## ShelLuser (Jul 25, 2013)

Hi gang!

I'm diving a bit deeper into the process of securing my FreeBSD environment a bit more and came across the Process Accounting.

I followed the steps to set everything up and it worked like a charm. However, when studying the whole setup a bit more I suddenly noticed that if you follow the steps from the handbook to set everything up you're basically providing everyone who has a user account on your system access to the collected accounting information.

When a normal user starts lastcomm(1) then they get to see the full accounting history.

I consider that quite a major flaw to be honest. Especially since it can be easily prevented by simply changing the permission bits on the /var/account directory. By default this is owned by root:wheel yet has a permission mask of 755, so effectively allowing everyone access.

If you follow the instructions and use `touch /var/account/acct` you'll create a file which has 644 as its permission mask, thus also allowing everyone read access.

The solution should be obvious: `# chmod o-rx /var/account`, this will prevent anyone outside the wheel group from gaining access to your accounting data.

I'm somewhat surprised that this detail wasn't mentioned in the handbook because in my opinion following the default steps can create a potentially dangerous source of information for any intruders.


----------



## wblock@ (Jul 25, 2013)

I would say it should be `chmod 600 /var/account`.  Even wheel users should not be able to view it.


----------



## ShelLuser (Jul 25, 2013)

Thanks for the confirmation guys, much appreciated.

Still a bit nervous (probably for nothing), but I just entered my very first PR to bring this issue to the attention of the FreeBSD developers. As soon as I know more (such as a confirmation by e-mail) I'll send in an update.


----------



## ta0kira (Jul 25, 2013)

There are a lot of permissions I've changed from their defaults. Most of the files in /etc, /var/log/messages, /var/log/utx.*, /var/run/utx.active, and several others I can't think of at the moment. It's particularly irritating that /var/run/utx.active is made world-readable again when the system starts, even after patching libc to create it with 0640. Some of those things are personal preference, so you really just need to sift through your system files and decide on a case-by-case basis.

Kevin Barry


----------



## wblock@ (Aug 6, 2013)

Changes committed: http://svnweb.freebsd.org/doc?view=revision&revision=42501.


----------



## _martin (Aug 6, 2013)

This reminded me the _"issue"_ with /root permissions being 755 by default on FreeBSD. I was not able to find a topic regarding this here on forums, maybe I saw it in mailing list somewhere.

Same goes with user home directories - I'd expect them to be 700 by default.


----------



## kpa (Aug 6, 2013)

Users are put into their own groups at creation so 750 should be enough.


----------

