From: Alexander Bluhm <alexander.bluhm@gmx.net>
Subject: Re: chmod o= /var/account/acct
To: tech@openbsd.org
Date: Mon, 19 Feb 2024 15:53:00 +0100

On Sat, Feb 17, 2024 at 11:42:09AM +0100, Marcus MERIGHI wrote:
> Hello, 
> 
> I've wondered whether it is good to have system accounting information
> readable by everyone. 

Is it worse than looking at other users' processes with ps?  I see
no secrets in lastcomm output.  Writing doas in front of each command
does not make the world better.

> I've done a quick test with 'chmod o= /var/account/acct' and nothing
> seems to break (on amd64, -current).
> 
> That is why I propose the patch to /etc/mtree/special below.
> 
> Marcus
> 
> Index: special
> ===================================================================
> RCS file: /cvs/src/etc/mtree/special,v
> retrieving revision 1.129
> diff -u -p -r1.129 special
> --- special	19 Sep 2023 15:02:55 -0000	1.129
> +++ special	17 Feb 2024 10:37:07 -0000
> @@ -161,7 +161,7 @@ share		type=dir mode=0755 uname=root gna
>  
>  var		type=dir mode=0755 uname=root gname=wheel
>  account		type=dir mode=0755 uname=root gname=wheel
> -acct		type=file mode=0644 uname=root gname=wheel optional
> +acct		type=file mode=0640 uname=root gname=wheel optional
>  ..	#var/account
>  yp		type=dir mode=0755 uname=root gname=wheel optional ignore
>  ..	#var/yp