oss-sec mailing list archives
Re: nginx CVE-2013-0337 world-readable logs
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 24 Feb 2013 13:24:53 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/24/2013 12:34 AM, gremlin () gremlin ru wrote:
On 22-Feb-2013 15:46:15 +0400, I wrote:Some distros are affected.Alas for them... But the solution is simple.This is not just misconfiguration.This issue isn't related to the nginx itself. However, I'd agree that nginx could use restrictive mode for its' log files: +++ nginx-1.2.7/src/core/ngx_log.c @@ -325,7 +325,7 @@ - NGX_FILE_DEFAULT_ACCESS); + NGX_FILE_USR_GRP_ACCESS);I've contacted the nginx team via their security-alert@ and got the "won't fix" answer by Maxim Dounin:We are fine with default permissions used for log files. If in a particular configuration stricter permissions are required, this may be done either by creating appropriate log files with needed permissions, or by restricting access to a directory with log files.Although respecting the umask value could be a better solution (and I'll try once again to convince the developers in that), the developers' opinion is clear: pre-creating the logs is the expected method to fix the ${subject}.
I somewhat disagree for the simple fact that web servers MUST log sensitive information (e.g. GET strings) to be of any use. This goes back to the discussion regarding programs such as gpg. Personally I would rather see the log files (ALL log files for ALL programs actually) created using a default permission that is safe (e.g. 0600 or 0660 if it writes to it with the group permissions), but can be configured and easily overridden in a config file (e.g. nginx.conf) so that people that have a legitimate need for world readable log files can do so easily. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRKncVAAoJEBYNRVNeJnmT1J0QAITraA2TQQ75m+Kje4vzp3b+ db+q3RbrEaY+5VdrtWCq16LNIzpU08Zh6qhoHx15KTrk9QJ996foYDfhiuuDaXT5 vvtDjPv4ddgzuh4iQbz1BVpI/XQ2PBuac9rbvZmExQqxA4Bis5IJGckgoVY299Os gnEQcoU04+nAntMH3lH/6rAJ7GM00Y05Tca7dXc6Y1aKi9coRcIlqZgMO+Fkzgys nYTFLoR7BA2O5znWxVBqPHNeXFLZgh0JPPnCfyCtAKiVr8cKuDfX36IKz8wCD66c Dw6204V3MnkN/xNZUguFnbkbROfzAaCt6JXWRC0Ye2AcsWvHqbagYfXaOQ/5UMNT 2QEB6LvWzfcmIAOguEffCYLYDWoMsQI2M5whK7VAO/nniHN+3frOSkz2SHqpfqSe fEyre6oVf3i/1IJaWPWKEst7RZVSte8Pgwnef2C7sGjnuINt2FBH9RQLHLDV79E5 7Bbd6KWmC6mZULGZvwZm7jdMpwnPj0gyJiumXPXdFcPfMGw3Sc/8aIB6kEUM4Puf F7UCPRene3OaI5xtAXXC3RglBBD3kHLSF146Ng2Qvo/zUj3mNj5pa6qouiMJ3Kkb cqIp59Sbn0zWCkOVWhgsvDMgL/5F0bmw178ttRA17fBzb178ox2VY0NnUmQWBytz Q4OBraQ+yCIzS3cGO+FA =EBGC -----END PGP SIGNATURE-----
Current thread:
- Re: CVE request: nginx world-readable logdir, (continued)
- Re: CVE request: nginx world-readable logdir Anders Petersson (Feb 21)
- Re: CVE request: nginx world-readable logdir Anders Petersson (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: nginx world-readable logdir gremlin (Feb 22)
- Re: nginx world-readable logdir Kurt Seifried (Feb 22)
- Re: nginx world-readable logdir Henri Salo (Feb 22)
- Re: nginx world-readable logdir gremlin (Feb 22)
- nginx CVE-2013-0337 world-readable logs gremlin (Feb 23)
- Re: nginx CVE-2013-0337 world-readable logs Kurt Seifried (Feb 24)