Permissions on apt history log file

Asked by Simon Gould

The permissions on /var/log/apt/history.log are set to 644, which is world-readable.
If I manually change permissions on this log file to 640, apt changes it back to 644 the next time it adds to the file.

It looks to me like this happens in the source code here:
https://git.launchpad.net/ubuntu/+source/apt/tree/apt-pkg/deb/dpkgpm.cc#n1054

with this line in dpkgm.cc:
chmod(history_name.c_str(), 0644);

Is there some other way to configure the permissions on this?
Why does this file need to be world-readable?

It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected.
The info in this file shows which packages/versions have been installed/uninstalled, and could be useful to a hacker to determine vulnerabilities.

The permissions on this file being set to 644 causes systems to fail industry standard CIS Security Benchmarks [4.2.3 Ensure permissions on all logfiles are configured]

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu apt Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said :
#1

I'd say so that users can read the log to see what was installed for investigation purposes but I'm just guessing

Revision history for this message
Manfred Hampl (m-hampl) said :
#2

If you deem this important enough to request a change, then I suggest that you create a bug report.

Due to the fact that Ubuntu is copying that package from Debian, this should also be reported in the Debian bug tracker (preferably with cross references between the bug reports).

Note: Just 16 lines above setting the access rights for the history log to 644, the access restrictions for the terminal log are set to 640 (line 1038). This is somewhat inconsistent.

Can you help with this problem?

Provide an answer of your own, or ask Simon Gould for more information if necessary.

To post a message you must log in.