oss-sec mailing list archives
Re: CVE request: nginx world-readable logdir
From: Anders Petersson <anders () xvx se>
Date: Thu, 21 Feb 2013 23:51:16 +0100
2013/2/21 Anders Petersson <anders () xvx se>
However on Debian Squeeze the logs themselves are not world-readable (at least on my system): $ ls -la /var/log/nginx/ total 452 drwxr-xr-x 2 root root 4096 Feb 21 06:25 . drwxr-xr-x 9 root root 4096 Feb 21 06:25 .. -rw-r----- 1 www-data adm 934 Feb 21 18:40 access.log -rw-r----- 1 www-data adm 20134 Feb 21 03:46 access.log.1
Apologies for the noise, Henri is absolutely correct. nginx on Debian Squeeze is affected. My observation is merely an artifact of the logrotation which fixes the permissions in a cron-job (hence if you have the logrotate package installed on Debian Squeeze the logs will have correct permissions as soon as the logs have been rotated once, but left to it's own devices nginx will create the log file world-readable, also the nginx package does not depend on the logrotate package so it may not be installed). # rm /var/log/nginx/access.log # service nginx restart $ ls -l /var/log/nginx/ total 1088 -rw-r--r-- 1 root root 0 Feb 21 23:31 access.log -- Anders Petersson
Current thread:
- nginx world-readable logdir Agostino Sarubbo (Feb 21)
- Re: nginx world-readable logdir Henri Salo (Feb 21)
- CVE request: nginx world-readable logdir Henri Salo (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: CVE request: nginx world-readable logdir Anders Petersson (Feb 21)
- Re: CVE request: nginx world-readable logdir Anders Petersson (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: nginx world-readable logdir gremlin (Feb 22)
- Re: nginx world-readable logdir Kurt Seifried (Feb 22)
- Re: nginx world-readable logdir Henri Salo (Feb 22)
- Re: nginx world-readable logdir gremlin (Feb 22)
- nginx CVE-2013-0337 world-readable logs gremlin (Feb 23)
- Re: nginx CVE-2013-0337 world-readable logs Kurt Seifried (Feb 24)