From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id gO8OGOgBKWLeWwEAgWs5BA (envelope-from ) for ; Wed, 09 Mar 2022 20:37:12 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id KFBUEOgBKWJHWAAAG6o9tA (envelope-from ) for ; Wed, 09 Mar 2022 20:37:12 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id D4B87CD91 for ; Wed, 9 Mar 2022 20:37:11 +0100 (CET) Received: from localhost ([::1]:46442 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nS27T-0000gD-2G for larch@yhetil.org; Wed, 09 Mar 2022 14:37:11 -0500 Received: from eggs.gnu.org ([209.51.188.92]:51552) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nS27K-0000e6-2N for guix-patches@gnu.org; Wed, 09 Mar 2022 14:37:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:38625) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nS27J-000091-Pm for guix-patches@gnu.org; Wed, 09 Mar 2022 14:37:01 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nS27J-0006mz-NQ for guix-patches@gnu.org; Wed, 09 Mar 2022 14:37:01 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#54309] [PATCH] services: auditd: use exclusive log directory for auditd Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 09 Mar 2022 19:37:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 54309 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: fesoj000 , 54309@debbugs.gnu.org Received: via spool by 54309-submit@debbugs.gnu.org id=B54309.164685457926044 (code B ref 54309); Wed, 09 Mar 2022 19:37:01 +0000 Received: (at 54309) by debbugs.gnu.org; 9 Mar 2022 19:36:19 +0000 Received: from localhost ([127.0.0.1]:60755 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nS26d-0006ly-Fo for submit@debbugs.gnu.org; Wed, 09 Mar 2022 14:36:19 -0500 Received: from xavier.telenet-ops.be ([195.130.132.52]:48160) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nS26Z-0006lm-S3 for 54309@debbugs.gnu.org; Wed, 09 Mar 2022 14:36:17 -0500 Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a]) by xavier.telenet-ops.be with bizsmtp id 4KcD2700k4UW6Th01KcEWW; Wed, 09 Mar 2022 20:36:14 +0100 Message-ID: <4ca12a3e0b1662addecb8bcca1f63ba5e223e8b8.camel@telenet.be> From: Maxime Devos Date: Wed, 09 Mar 2022 20:36:09 +0100 In-Reply-To: References: Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-tLn/sBL9Fe03S5Xi02BJ" User-Agent: Evolution 3.38.3-1 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1646854574; bh=w6xNKSF/OtFM3NKfxf+2ISGcy87t8zL4oIvIzncQC40=; h=Subject:From:To:Date:In-Reply-To:References; b=MEud/lmgmM8IoYLT5xMO8LLT9oVfvncd1mlXCuaz+SKKCtaNwea80pA6aMIJ87Zzx RxunoAr1ab78LhSL+R28beI97UK9eHwE+H0XCVFRzvsU57qCevBIIzhgQ2yBrd8vU/ PkfSeOFIMmq6PE9zXyk0IUtgQPncQNyOqVrI+63qA24nNOfNFFUwfAiuGBaY+UVHTp xdOVnYS74ClUtxbO7hLFLe+ouCYixPbdiLVRdlMC4swnpkZxMZiYMXGNjqadSI3AvX CN/uLmlzbFcozN7vVmxnsMKbOpIYMqb2YjribXtd65R6aBekQE4U4oMy7JE5g2D0Tq xm0xfX8I0WAPg== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1646854631; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=w6xNKSF/OtFM3NKfxf+2ISGcy87t8zL4oIvIzncQC40=; b=oXjgQWknDQNbDmrz19y9cj85wjD7Bj8vw15b3MU2ic6/h7D3g6JphdGxJeTpuGjhThR59z V86wyaHykLU5RcABZKbyufCFxEUvZ9xGiMjneLPMQ3PpdZ6Pqqz+QCgmFaykG4LTPAyfnD drJ74KgZPrtaVpIfadMwMGB4zJ4x+nGZq3gSK8tOPsl+ojeAZD082gkbuL1yA+a+dcKJCN UIYSYZzf5Rf4lqfYN2MD5EQGoY2yayj/EZguJ2a4Xq81DkAuSU8a2vUw9xZs1cRULFEnxK QeAcy171rIUZ0tOpNiQTI4RhtmMNKbjXv7p9fk0XOjfn1vcHygEuYqCWb864IA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1646854631; a=rsa-sha256; cv=none; b=MvjqTxKdMJe/cBivtkd1PYubeaQGLjUKA2OFlSY9h9VmYDR5p19a9B/aAUhbgg9Gp9qzX2 Vk+CzVjWNB55zf4Ph3HhMaGXna9kLHze50y31QgnVOwAYIdBjInr2RFboFJIFcyMkvcYZZ fHgI2OZeEn/SHeDYubUDRkRzO+Sz2TJoIjlUsOV7HkBMTYQhRA5wekJMJtSJpSpm4kHQEm HxE0w+KGspVkRW3Q6NmwmD2+sZIdJDIhqlT6O/uTj8e/SlTZX+0QgSVaENI481CSYWH0yv BP2YfPbK2tY2O/u2ZAfoRXYMFNc902+KIyZFMkpqru9ZpcWv0ehaGSdOWAsxVw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r22 header.b="MEud/lmg"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 2.49 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r22 header.b="MEud/lmg"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: D4B87CD91 X-Spam-Score: 2.49 X-Migadu-Scanner: scn0.migadu.com X-TUID: NzX2ooT7QVU5 --=-tLn/sBL9Fe03S5Xi02BJ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable fesoj000 schreef op wo 09-03-2022 om 20:21 [+0100]: > Currently auditd writes logs to /var/log/audit.log. This is a problem bec= ause > auditd changes the permissions of the directory audit.log lives in to > 700. Why is auditd doing this? Can this behaviour be patched out? Is there an upstream report? > /var/log usually has 755, this is assumed by some services. postgresql > for example, fails when used together with auditd. Why does postgresql care about the group and other bits? Could postgresql be modified not to care? What are the reasons for changing the group and other bits? Perhaps that should be done by default by Guix when creating /var/log (POLA)? In any case, I would recommend adding to auditd.scm to make clear why the default log location is unacceptable. Greetings, Maxime. --=-tLn/sBL9Fe03S5Xi02BJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYikBqRccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7u6NAPsEXmKP7fsQbcH0vymV1FoyouVQ 1zBRBm9lSWb1eLkC5AEAw3kSFrRC4HAyxEhGM2UzPIWwHBU5OKrZm0i+kaRXgwA= =ODy0 -----END PGP SIGNATURE----- --=-tLn/sBL9Fe03S5Xi02BJ--