LCFG Profile Security
As part of our ongoing project to improve the security of LCFG profile storage we intend to change the permissions on a number of standard directories used by the LCFG client to store state, logs, etc. All the following directories will be configured to be owned by theroot user and be accessible to members of the lcfg group. The expectation is that administrators who wish to read the contents of any files, without being root, will be added to the lcfg group.
| Name | Path | Old Mode |
New Mode | Purpose | Notes |
|---|---|---|---|---|---|
| LCFGVAR | /var/lcfg |
0755 |
0751 |
Top-level state directory | For compatibility we need to allow other users access to sub-directories |
| LCFGLOCK | /run/lock/lcfg |
0755 |
02750 |
Lock files for currently runnning component methods | |
| LCFGLOG | /var/lcfg/log |
01755 |
02750 |
Component log files | Minor tweaks may be needed for some components (e.g. /var/lcfg/log/dns.querylogs is now in /var/log) |
| LCFGCONF | /var/lcfg/conf |
01775 |
0751 |
Component generated config data | For compatibility we need to allow other users access to files and sub-directories (e.g. /var/lcfg/conf/ntp.conf, /var/lcfg/conf/mail.mc) |
| LCFGTMP | /var/lcfg/tmp |
01775 |
0751 |
Temporary files | For compatibility we need to allow other users access to sub-directories (e.g. /var/lcfg/tmp/dns) |
| LCFGRUN | /run/lcfg |
01775 |
02750 |
Component run files | |
| LCFGSTATUS | /run/lcfg/status |
01775 |
02750 |
Component status files (current resource state) |
squinney - 2019-01-30 
Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | More topic actions
Site map
LCFG web
Create New Topic
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
Account 
Copyright © 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback