Tags:
create new tag
view all tags

LCFG Profile Security

As part of our ongoing project to improve the security of LCFG profile storage we intend to change the permissions on a number of standard directories used by the LCFG client to store state, logs, etc. All the following directories will be configured to be owned by the root user and be accessible to members of the lcfg group. The expectation is that administrators who wish to read the contents of any files, without being root, will be added to the lcfg group.

Name Path Old Mode New Mode Purpose Notes
LCFGVAR /var/lcfg 0755 0751 Top-level state directory For compatibility we need to allow other users access to sub-directories
LCFGCONF /var/lcfg/conf 01775 0751 Component generated config data For compatibility we need to allow other users access to files and sub-directories (e.g. /var/lcfg/conf/ntp.conf, /var/lcfg/conf/mail.mc)
LCFGLOG /var/lcfg/log 01755 02750 Component log files Minor tweaks may be needed for some components (e.g. /var/lcfg/log/dns.querylogs is now in /var/log)
LCFGTMP /var/lcfg/tmp 01775 0751 Temporary files For compatibility we need to allow other users access to sub-directories (e.g. /var/lcfg/tmp/dns)
LCFGRUN /run/lcfg 01775 02750 Component run files  
LCFGSTATUS /run/lcfg/status 01775 02750 Component status files (current resource state)  
LCFGLOCK /run/lock/lcfg 0755 02750 Lock files for currently runnning component methods  

From checking Informatics machines, it appears that the components which rely on having access to these directories for users other than root are: dns, mail and ntp

-- squinney - 2019-01-30

Topic revision: r2 - 2019-02-11 - squinney
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback