upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-03-15 23:25:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/libexec/rc/rc.d
History
Ian Lepore 1e121c3ef1 Limit access to system accounting files. 
In 2013 the security chapter of the Handbook was updated in r42501 to
suggest limiting access to the system accounting file [*1] by creating the
initial file with a mode of 0600. This was in part based on a discussion in
the forums [*2]. Unfortunately, this advice is overridden by the fact that a
new file is created as part of periodic daily processing, and the file mode
is set by the rc.d/accounting script.

These changes update the accounting script to create the directory with mode
0750 if it doesn't already exist, and to create the daily file with mode
0640. This limits write access to root only, read access to root and members
of wheel, and eliminates world access completely. For admins who want to
prevent even members of wheel from accessing the files, the mode of the
/var/account directory can be manually changed to 0700, because the script
never creates or changes that directory if it already exists.

The accounting_rotate_log() function now also handles the error cases of no
existing log file to rotate, and attempting to rotate the file multiple
times (.0 file already exists).

Another small change here eliminates the complexity of the mktemp/chmod/mv
sequence for creating a new acct file by using install(1) with the flags
needed to directly create the file with the desired ownership and
modes. That allows coalescing two separate if checkyesno accounting_enable
blocks into one.

These changes were inspired by my investigation of PR 202203.

[1] https://www.freebsd.org/doc/handbook/security-accounting.html
[2] http://forums.freebsd.org/showthread.php?t=41059

PR:		202203
Differential Revision:	https://reviews.freebsd.org/D20876
2019-07-13 16:07:38 +00:00
..
abi Revert r346017 pending compiled-in zfs fix 2019-04-10 07:51:13 +00:00
accounting Limit access to system accounting files. 2019-07-13 16:07:38 +00:00
addswap
adjkerntz
amd
apm
apmd
archdep Remove iBCS2, part1: userspace 2018-12-19 21:56:54 +00:00
auditd
auditdistd
automount
automountd
autounmountd
bgfsck
blacklistd
bluetooth
bootparams
bridge
bsnmpd
bthidd Revert r346017 pending compiled-in zfs fix 2019-04-10 07:51:13 +00:00
ccd
cfumass Revert r346017 pending compiled-in zfs fix 2019-04-10 07:51:13 +00:00
cleanvar
cleartmp
cron
ctld
DAEMON
ddb
defaultroute
devd
devfs
devmatch
dhclient
dmesg
dumpon
FILESYSTEMS
fsck
ftp-proxy
ftpd
gbde
geli
geli2
gptboot
growfs Remove an unneeded 'tail -n 1' from a pipeline 2019-03-11 13:33:03 +00:00
gssd
hastd
hcsecd
hostapd Allow the hostapd program to be specified. This allows users to use 2019-06-17 20:11:02 +00:00
hostid
hostid_save
hostname
inetd
iovctl
ip6addrctl
ipfilter
ipfs
ipfw Add ability to automatically load ipfw_nat64, ipfw_nptv6 and ipfw_pmod 2019-03-23 15:41:32 +00:00
ipfw_netflow
ipmon Allow forced start of ipmon in special cases where testing is desired 2018-11-22 04:48:27 +00:00
ipnat
ippool The check for $ippool_rules in start_cmd is tautological. 2019-03-23 04:32:10 +00:00
ipropd_master
ipropd_slave
ipsec Add ipsec.ko to required_modules for rc.d/ipsec script. 2019-05-06 08:30:53 +00:00
iscsictl
iscsid
jail Move definition of $jail_conf variable to /etc/defaults/rc.conf 2018-11-10 14:11:54 +00:00
kadmind
kdc
keyserv
kfd
kld Revert r346017 pending compiled-in zfs fix 2019-04-10 07:51:13 +00:00
kldxref
kpasswdd
ldconfig
local /etc/rc.d/local: Fix typo in description 2019-06-10 13:34:18 +00:00
local_unbound Run unbound-anchor when root.key is empty, not just when it is absent. 2018-11-01 14:24:12 +00:00
localpkg
lockd
LOGIN
lpd
Makefile pkgbase: Remove etc/zfs from being packaged 2019-05-23 06:53:59 +00:00
mdconfig Revert r346017 pending compiled-in zfs fix 2019-04-10 07:51:13 +00:00
mdconfig2 Revert r346017 pending compiled-in zfs fix 2019-04-10 07:51:13 +00:00
mixer
motd rc.d/motd: Update motd more robustly 2019-06-21 02:37:54 +00:00
mountcritlocal
mountcritremote Revert r346017 pending compiled-in zfs fix 2019-04-10 07:51:13 +00:00
mountd
mountlate
moused
msgs
natd
netif
netoptions
netwait
NETWORKING
newsyslog
nfscbd
nfsclient
nfsd Add support for a virtual hostname to nfsd 2019-02-16 00:15:54 +00:00
nfsuserd
nisdomain
nscd
nsswitch
ntpd Remove accidentally-added blank line; the style throughout this file 2019-05-23 01:49:08 +00:00
ntpdate
opensm
othermta
pf
pflog
pfsync
power_profile
powerd
ppp
pppoed
pwcheck
quota
random save-entropy(8), rc.d/random: Set nodump flag 2019-05-22 21:47:17 +00:00
rarpd
rctl
resolv
rfcomm_pppd_server
root
route6d
routed
routing
rpcbind
rtadvd
rtsold
rwho
savecore
sdpd
securelevel
sendmail
serial
SERVERS
sppp
sshd
statd
static_arp
static_ndp
stf
swap
swaplate
syscons Revert r346017 pending compiled-in zfs fix 2019-04-10 07:51:13 +00:00
sysctl
syslogd
tmp
ubthidhci
ugidfw
utx
var
virecover
watchdogd
wpa_supplicant
ypbind
ypldap
yppasswdd
ypserv
ypset
ypupdated
ypxfrd
zfs
zfsbe
zfsd
zvol