ProfileSecurity < LCFG

Tags: view all tags
---+ LCFG Profile Security

As part of our ongoing project to improve the security of LCFG profile storage we intend to change the permissions on a number of standard directories used by the LCFG client to store state, logs, etc. All the following directories will be configured to be owned by the =root= user and be accessible to members of the =lcfg= group. The expectation is that administrators who wish to read the contents of any files, without being =root=, will be added to the =lcfg= group.

| *Name* | *Path* | *Old Mode* | * New Mode* | *Purpose* | *Notes* |
| LCFGVAR | =/var/lcfg= | =0755= | =0751= | Top-level state directory | For compatibility we need to allow other users access to sub-directories | 
| LCFGCONF | =/var/lcfg/conf= | =01775= | =0751= | Component generated config data | For compatibility we need to allow other users access to files and sub-directories (e.g. =/var/lcfg/conf/ntp.conf=, =/var/lcfg/conf/mail.mc=) | 
| LCFGLOG | =/var/lcfg/log= | =01755= | =02750= | Component log files | Minor tweaks may be needed for some components (e.g. =/var/lcfg/log/dns.querylogs= is now in =/var/log=) |
| LCFGTMP | =/var/lcfg/tmp= | =01775= | =0751= | Temporary files | For compatibility we need to allow other users access to sub-directories (e.g. =/var/lcfg/tmp/dns=) | 
| LCFGRUN | =/run/lcfg= | =01775= | =02750= | Component run files | &nbsp; |
| LCFGSTATUS | =/run/lcfg/status= | =01775= | =02750= | Component status files (current resource state) | &nbsp; |
| LCFGLOCK | =/run/lock/lcfg= | =0755= | =02750= | Lock files for currently runnning component methods | &nbsp; |

From checking Informatics machines, it appears that the components which rely on having access to these directories for users other than root are: dns, mail and ntp 

-- %USERSIG{squinney - 2019-01-30}%
Topic revision: r2 - 2019-02-11 - squinney