{"id":1570,"date":"2017-07-03T19:32:04","date_gmt":"2017-07-03T19:32:04","guid":{"rendered":"http:\/\/hauweele.net\/~gawen\/blog\/?p=1570"},"modified":"2017-07-12T23:51:21","modified_gmt":"2017-07-12T23:51:21","slug":"hide-logs-from-wheel-users","status":"publish","type":"post","link":"https:\/\/hauweele.net\/~gawen\/blog\/?p=1570","title":{"rendered":"Hide logs from wheel users"},"content":{"rendered":"<p>If you have grown accustomed to FreeBSD administration, you&#8217;ve probably learned that users need to be member of the <a href=\"http:\/\/www.freebsd.org\/doc\/handbook\/users-synopsis.html#users-superuser\"><em>wheel<\/em><\/a> group to be able to use the <code>su<\/code> command. Some in the land of GNU <a href=\"http:\/\/ftp.gnu.org\/old-gnu\/Manuals\/coreutils-4.5.4\/html_node\/coreutils_149.html#SEC150\">don&#8217;t agree<\/a> so much with this way of doing and firmly believe that <code>wheel<\/code> is an instrument of power (which is true in a literal sens) but that&#8217;s another story.<\/p>\n<p>In fact I am perfectly fine with this save for one little detail. By default most log files are owned by <code>root:wheel<\/code>. Altough while some of them have permission 600, a lot of them are 640 which means that members of the wheel group will be able to read them. We have basically two solutions to fix this:<\/p>\n<ul>\n<li>Fix permissions in <code>\/etc\/newsyslog.conf<\/code>.<\/li>\n<li>Use another group instead of <code>wheel<\/code> for the <code>su<\/code> command.<\/li>\n<\/ul>\n<p>Fixing <code>newsyslog.conf<\/code> is quite easy, just replace the mode column with any permission you fancy (in our case 600). Don&#8217;t forget to restart <code>newsyslog<\/code> and fix existing permissions with <code>find \/var\/log -type f -exec chmod 600 {} \\;<\/code>.<\/p>\n<p>However that might not be enough. You see on most BSD <code>wheel<\/code> has gid 0, whereas on Linux it is <code>root<\/code> that has gid 0. Nobody is supposed to be a member of <code>root<\/code>, but it serves as a general purpose group for anything owned solely by root. As such you can often use <code>chown 0:0<\/code> as a synonym of <em>owned by root<\/em>.<\/p>\n<p>But <code>root:root<\/code> on Linux would not have the same meaning as <code>root:wheel<\/code> on BSD. In particular you can generally suppose that files owned by <code>root:root<\/code> with permission 640 on Linux are only readable by the root user but the same supposition doesn&#8217;t translate so well for us BSD users.<\/p>\n<p>While I&#8217;m not keen of importing such kind of Linuxism into FreeBSD, one way to deal with it would be to use another group for <code>su<\/code> users. For this we would:<\/p>\n<ul>\n<li>Create the <code>su<\/code> system group.<\/li>\n<li>Move all members of <code>wheel<\/code> to this group.<\/li>\n<li>Modify <code>\/etc\/pam.d\/su<\/code> to use <code>group=su<\/code> instead of <code>group=wheel<\/code>.\n<\/ul>\n<p>Now I don&#8217;t personally do that, but I guess what you do it&#8217;s your business.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you have grown accustomed to FreeBSD administration, you&#8217;ve probably learned that users need to be member of the wheel group to be able to use the su command. Some in the land of GNU don&#8217;t agree so much with &hellip; <a href=\"https:\/\/hauweele.net\/~gawen\/blog\/?p=1570\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[856,389,854,6,855,853,857,243,852,851],"class_list":["post-1570","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-bsd","tag-freebsd","tag-hide","tag-linux","tag-linuxism","tag-log","tag-newsyslog","tag-root","tag-su","tag-wheel"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1570","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1570"}],"version-history":[{"count":0,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1570\/revisions"}],"wp:attachment":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1570"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1570"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1570"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}