Douglas A. Tutty wrote:

quoted text
> On Tue, Dec 04, 2007 at 02:30:28PM -0800, Bryan Irvine wrote:

>> > What would be the rationale for 640? ;)

>>

>> Well according to cvs log:

>> "it can be easily changed if you like it another way. millert,"

>>

>> So I guess one rationale might be as simple as "because"  ;)

>>

>

> Does anything get posted to the log that a normal user should not see?

> I suppose it depends on the machine's context.  Can traffic analysis on

> the log be used to determine what another user is doing any more than

> watching top?  If you're concerned about normal users reading logs, you

> need to look at those logs and determine why you are concerned and

> determine the implcations of those concerns.

>

> Doug.

The other question:
Does the stuff there need to be seen so often that administrative users

might be tempted to do a "sudo -s" over "sudo more ...", and then do

something stupid that would have been a non-event if they weren't root?
Difficult to maintain does NOT equal secure.

Difficult to maintain usually means "improperly maintained", and that

usually means insecure.
IF you are producing messages output that the general users should NOT

be seeing, go ahead, change the access permissions!  If you look at the

number of systems that either have

 1) only administrative users or

 2) have nothing secret going to /var/log/messages

you have probably covered the vast majority of OpenBSD systems.  So, I

don't want to see the vast majority of systems made more difficult to

administer and perhaps prompting the user to "live" as root more than

needed.
Glancing through the /var/log/messages files on a few of my machines,

I found nothing I wouldn't be more than happy to post to the Internet,

other than the rather anemic specs might be a bit embarrassing, but I

found that I was glad I didn't have to have root privs to look at

them.
Nick.