MFC r349807, r349974, r349976, r350324, r350361, r350445


MFC r349807, r349974, r349976, r350324, r350361, r350445

Eliminate spurious periodic.daily error message for rotating accounting log.

In 2011, r218961 removed local code for rotating logs in favor of using the
rotate_log command in etc/rc.d/accounting. If the accounting service is
activated then subsequently de-activated in rc.conf but still remains active
in periodic.conf, then you get an error message every day in the periodic
jobs about being unable to rotate the logs.

With this change to use "onerotate_log", the log rotation will happen the
first time periodic daily runs after accounting was disabled but periodic
accounting was left enabled. After that happens once, the /var/account/acct
will no longer exist, which results in a different path through the periodic
code and no more error messages will appear (unless daily_show_badconfig is
set, in which case the admin will be told that periodic security processing
is enabled but the accounting file is not present).

This is only a partial fix for the problems reported in PR 202203.

PR: 202203

Limit access to system accounting files.

In 2013 the security chapter of the Handbook was updated in r42501 to
suggest limiting access to the system accounting file [*1] by creating the
initial file with a mode of 0600. This was in part based on a discussion in
the forums [*2]. Unfortunately, this advice is overridden by the fact that a
new file is created as part of periodic daily processing, and the file mode
is set by the rc.d/accounting script.

These changes update the accounting script to create the directory with mode
0750 if it doesn't already exist, and to create the daily file with mode
0640. This limits write access to root only, read access to root and members
of wheel, and eliminates world access completely. For admins who want to
prevent even members of wheel from accessing the files, the mode of the
/var/account directory can be manually changed to 0700, because the script
never creates or changes that directory if it already exists.

The accounting_rotate_log() function now also handles the error cases of no
existing log file to rotate, and attempting to rotate the file multiple
times (.0 file already exists).

Another small change here eliminates the complexity of the mktemp/chmod/mv
sequence for creating a new acct file by using install(1) with the flags
needed to directly create the file with the desired ownership and
modes. That allows coalescing two separate if checkyesno accounting_enable
blocks into one.

These changes were inspired by my investigation of PR 202203.

[1] https://www.freebsd.org/doc/handbook/security-accounting.html
[2] http://forums.freebsd.org/showthread.php?t=41059

PR: 202203
Differential Revision: https://reviews.freebsd.org/D20876

Add an entry mentioning the permission/mode change to daily accounting files.

Fix indentation (spaces->tab).

Re-wrap the text at 80 columns after fixing the indent in the prior commit.

Create the /var/account dir with mode 0750; this is a followup to r349974.

The rc.d/account script contains code to create the /var/account dir, so
it hadn't occurred to me that it is normally created via mtree; thanks to
jilles@ for pointing it out.


ianAuthored on
Differential Revision
D20876: Limit access to system accounting files
rS350877: MFC r349891, r349972