Confusing security report

[D'Arcy Cain]

On a number of my servers I have the following in the daily security report:

Checking login.conf permissions:
Bad ownership of /etc/login.conf

The thing is that I don't have that file. I create /etc/login.conf.db
from a file in my own repository. Would I be OK creating an empty
/etc/login.conf just to keep it quiet?

Cheers.

--
D'Arcy J.M. Cain <da...@druid.net> | Democracy is three wolves
http://www.druid.net/darcy/ | and a sheep voting on
+1 416 788 2246 (DoD#0082) (eNTP) | what's for dinner.
IM: da...@Vex.Net, VoIP: sip:da...@druid.net

[lain.]

On 2024年06月08日 08:41, the silly D'Arcy Cain claimed to have said:
> On a number of my servers I have the following in the daily security report:
>
> Checking login.conf permissions:
> Bad ownership of /etc/login.conf
>
> The thing is that I don't have that file. I create /etc/login.conf.db from
> a file in my own repository. Would I be OK creating an empty
> /etc/login.conf just to keep it quiet?

Just curious, but why do you not have a /etc/login.conf file?
From my understanding, this is one of the mandatory files on any BSD
system, even if everything is commented out (or the file is blank).

So a simple `touch /etc/login.conf` would silence the report.

--
lain.
PGP public key: https://fair.moe/lain.asc

[D'Arcy Cain]

I thought I explained that but let me expand. I have a login.conf in my
subversion repository which is checked out on every server in my farm.
At boot time it runs this command:

cap_mkdb -f /etc/login.conf /Vybe/etc/general/login.conf

So that creates the /etc/login.conf.db. If that db file exists it will
be used regardless of whether /etc/login.conf exists.

I thought I could simply symlink the repo file into /etc but I am pretty
sure that would give me the same ownership warning.

Yah, I will probably just create an empty file for login.conf. Maybe my
rc.local, where I have that cap_mkdb command, can simply do this:

>/etc/login.conf

[Lowell Gilbert]

D'Arcy Cain <da...@druid.net> writes:

> I thought I explained that but let me expand. I have a login.conf in
> my subversion repository which is checked out on every server in my
> farm. At boot time it runs this command:
>
> cap_mkdb -f /etc/login.conf /Vybe/etc/general/login.conf
>
> So that creates the /etc/login.conf.db. If that db file exists it
> will be used regardless of whether /etc/login.conf exists.
>
> I thought I could simply symlink the repo file into /etc but I am
> pretty sure that would give me the same ownership warning.

It will make the same test against the real file. If that gives you a
warning, I'd be inclined to tighten up how the repo gets checked out.

This does suggest that maybe a similar check should be made on the .db
file, though. I'm not sure exactly how that should be implemented; for
my own purposes I would automatically regenerate the db, but I'm not
sure there's any one action that would be appropriate for everyone.

For cases where you know for sure that this check is always a false
positive, disabling the check is easy. For more complicated local
situations, customizing the logincheck script is only slightly more
complicated.

In short, there are a lot of reasonable ways to deal with this
situation. Season to taste.

Be well.

[D'Arcy Cain]

On 2024-06-08 11:13, D'Arcy Cain wrote:
> Yah, I will probably just create an empty file for login.conf.  Maybe my
> rc.local, where I have that cap_mkdb command, can simply do this:
>
>   >/etc/login.conf

Thanks to all for your suggestions. I decided to simply add
"security_status_logincheck_enable=NO" to periodic.conf.

Cheers.