Check your ppp.log or ppp.tun0.log in /var/log

Check your ppp.log or ppp.tun0.log in /var/log

Post by Mat » Wed, 17 Sep 1997 04:00:00



Hi,

I was having a look through my FreeBSD 2.2.2 system last night after
compiling myself a new kernel, so was feeling pretty chuffed about it
(being my first FreeBSD kernel) when I noticed that the directory and
contents of /var/log/ were world-readable.

While it's pretty understandable that some log files have world
attributes it seems INSANE that ppp.log (or, in my case, ppp.tun0.log)
be world-readable. After a quick cat of the file I found, for all to
see, plain text copies of my ISP password visible.

I suppose it's prudent to run around clamping all these files down, but
it strikes me as odd that they'd default to world-readable.

Well, it's probably not a major discovery, but I'd thought I'd bring it
to your attention anyway.

Cya,

--
Matt Bruce

NB: Remove X's to email me (anti-spam)

 
 
 

Check your ppp.log or ppp.tun0.log in /var/log

Post by Jordan K. Hubbar » Wed, 17 Sep 1997 04:00:00



> While it's pretty understandable that some log files have world
> attributes it seems INSANE that ppp.log (or, in my case, ppp.tun0.log)
> be world-readable. After a quick cat of the file I found, for all to
> see, plain text copies of my ISP password visible.

> I suppose it's prudent to run around clamping all these files down, but
> it strikes me as odd that they'd default to world-readable.

No, you're right - it is odd.  I've asked the ppp maintainer what's up
with this one!  Thanks for pointing it out.

--
- Jordan Hubbard
  FreeBSD core team / Walnut Creek CDROM.

 
 
 

Check your ppp.log or ppp.tun0.log in /var/log

Post by Keith W » Thu, 18 Sep 1997 04:00:00


A friend of mine runs a Debian Linux box and telnetted to his machine one day
and was comparing my fbsd to his linux and was mostly interested in how his
PPP stuff is setup, and cat'd his ppp.log file and his login and passwd was
there plain text also. I mentioned it to him and he reset the perms on
it, but was suprised that it was there. I'll have to check my logs and
see. I dont think the passwd or login are in the my ppp logs though.



> > While it's pretty understandable that some log files have world
> > attributes it seems INSANE that ppp.log (or, in my case, ppp.tun0.log)
> > be world-readable. After a quick cat of the file I found, for all to
> > see, plain text copies of my ISP password visible.

> > I suppose it's prudent to run around clamping all these files down, but
> > it strikes me as odd that they'd default to world-readable.

> No, you're right - it is odd.  I've asked the ppp maintainer what's up
> with this one!  Thanks for pointing it out.

> --
> - Jordan Hubbard
>   FreeBSD core team / Walnut Creek CDROM.