Hi,
Nessus creates saved knowledge base files with 600 permissions. This is
a pain in our setup as you have to leave root shells lying around to
read them, which I try to avoid for security. What I've done is make the
kb directory set-gid and appropriately owned, and modified
nessus-core/nessusd/save_kb.c to use 640 permissions. The diff is attached.
I think this should go in the main nessus tree - as the file is owned by
root's group (not withstanding the set-gid trick), the changed
permissions don't actually change access levels in normal use.
Paul
--
Paul Johnston
Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@westpoint.ltd.uk
web: www.westpoint.ltd.uk
--- /project/nessus/nessus-core/nessusd/save_kb.c Thu Nov 21 09:39:59 2002
+++ save_kb.c Tue Nov 26 16:43:32 2002
@@ -441,7 +441,7 @@
return 0;
}
unlink(fname); /* delete the previous kb */
- f = open(fname, O_CREAT|O_RDWR|O_EXCL, 0600);
+ f = open(fname, O_CREAT|O_RDWR|O_EXCL, 0640);
if(f < 0)
{
log_write("user %s : Can not save KB for %s - %s", user, hostname, strerror(errno));
@@ -602,7 +602,7 @@
{
char buf[4096];
int n;
- fd_dst = open(newname, O_WRONLY|O_CREAT|O_TRUNC, 0600);
+ fd_dst = open(newname, O_WRONLY|O_CREAT|O_TRUNC, 0640);
if(fd_dst < 0)
{
log_write("save_kb_backup failed : %s", strerror(errno));
Nessus creates saved knowledge base files with 600 permissions. This is
a pain in our setup as you have to leave root shells lying around to
read them, which I try to avoid for security. What I've done is make the
kb directory set-gid and appropriately owned, and modified
nessus-core/nessusd/save_kb.c to use 640 permissions. The diff is attached.
I think this should go in the main nessus tree - as the file is owned by
root's group (not withstanding the set-gid trick), the changed
permissions don't actually change access levels in normal use.
Paul
--
Paul Johnston
Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@westpoint.ltd.uk
web: www.westpoint.ltd.uk
--- /project/nessus/nessus-core/nessusd/save_kb.c Thu Nov 21 09:39:59 2002
+++ save_kb.c Tue Nov 26 16:43:32 2002
@@ -441,7 +441,7 @@
return 0;
}
unlink(fname); /* delete the previous kb */
- f = open(fname, O_CREAT|O_RDWR|O_EXCL, 0600);
+ f = open(fname, O_CREAT|O_RDWR|O_EXCL, 0640);
if(f < 0)
{
log_write("user %s : Can not save KB for %s - %s", user, hostname, strerror(errno));
@@ -602,7 +602,7 @@
{
char buf[4096];
int n;
- fd_dst = open(newname, O_WRONLY|O_CREAT|O_TRUNC, 0600);
+ fd_dst = open(newname, O_WRONLY|O_CREAT|O_TRUNC, 0640);
if(fd_dst < 0)
{
log_write("save_kb_backup failed : %s", strerror(errno));