[build_debian.sh]: Fix /var/log having 0750 permissions instead of 0755 #10031
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PR sonic-net#9481 changed auditd's log directory to be /var/log instead of /var/log/audit, because SONiC mounts a disk image at /var/log during runtime, and so the /var/log/audit directory might not exist (since it would've been created during package installation, mounting another partition at /var/log will hide it). However, for security reasons, auditd changes the log directory to have 0750 permissions, so that not everyone knows about the audit logs or read them. To fix this, revert the change to auditd's log directory, and tell systemd to create the audit log directory at runtime if it doesn't exist. Because the disk image gets mounted during initramfs (before systemd starts), systemd will make sure that the /var/log/audit directory will exist. Fixes sonic-net#9548 and sonic-net#10015 Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
yxieca
approved these changes
Feb 18, 2022
|
/azp run |
|
You have several pipelines (over 10) configured to build pull requests in this repository. Specify which pipelines you would like to run by using /azp run [pipelines] command. You can specify multiple pipelines using a comma separated list. |
|
/Azp run |
|
You have several pipelines (over 10) configured to build pull requests in this repository. Specify which pipelines you would like to run by using /azp run [pipelines] command. You can specify multiple pipelines using a comma separated list. |
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
saiarcot895
added
the
Request for 202111 Branch
judyjoseph
pushed a commit
that referenced
this pull request
Mar 7, 2022
…55 (#10031) PR #9481 changed auditd's log directory to be /var/log instead of /var/log/audit, because SONiC mounts a disk image at /var/log during runtime, and so the /var/log/audit directory might not exist (since it would've been created during package installation, mounting another partition at /var/log will hide it). However, for security reasons, auditd changes the log directory to have 0750 permissions, so that not everyone knows about the audit logs or read them. To fix this, revert the change to auditd's log directory, and tell systemd to create the audit log directory at runtime if it doesn't exist. Because the disk image gets mounted during initramfs (before systemd starts), systemd will make sure that the /var/log/audit directory will exist. Fixes #9548 and #10015 Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #9548 and #10015
Signed-off-by: Saikrishna Arcot sarcot@microsoft.com
Why I did it
PR #9481 changed auditd's log directory to be /var/log instead of
/var/log/audit, because SONiC mounts a disk image at /var/log during
runtime, and so the /var/log/audit directory might not exist (since it
would've been created during package installation, mounting another
partition at /var/log will hide it). However, for security reasons,
auditd changes the log directory to have 0750 permissions, so that not
everyone knows about the audit logs or read them.
This means that not even admin can list files in /var/log, which is a
regression from previous images.
How I did it
To fix this, revert the change to auditd's log directory, and tell
systemd to create the audit log directory at runtime if it doesn't
exist. Because the disk image gets mounted during initramfs (before
systemd starts), systemd will make sure that the /var/log/audit
directory will exist.
How to verify it
With this change, /var/log should have 0755 permissions, and admin should
be able to list the files in the directory.
Which release branch to backport (provide reason below if selected)
Description for the changelog
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)