oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: nginx world-readable logdir

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 22 Feb 2013 01:41:50 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/22/2013 01:15 AM, gremlin () gremlin ru wrote:

On 22-Feb-2013 00:29:48 -0700, Kurt Seifried wrote:


I just noticed my nginx logdir and its content are 
world-readable: What do you think about?

About misconfiguration? Nothing: % grep create
/etc/logrotate.d/nginx create 640 root wheel

What are the initial permissions prior to log rotation?


Of course, exactly the same - 640, root:wheel :-)

I've built my own package (for Openwall GNU/*/Linux, not yet in
mainstream), and there I use explicit log file creation in the
%post section (touch && chown && chmod) without relying on a umask
(although in Owl it's restrictive by default: 077).

So I think that ${subject} is just a misconfiguration.




Welp I confirmed it on Fedora 16. So at least some things are affected.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRJy9OAAoJEBYNRVNeJnmTqeoQAJsmGuKwYm5nVMAfTuiu7QVk
NOCgaa32zYOTeBCCVcMUf3m1f95EgSUUMun939PkEdIEdF67HPaO2uqOsxIv/GUo
oAsdGfX3vnnYBHBOdiGaixhkctl8oPGHKELQ8QgVKYCsWq7XMvS+shoIh0nMfPQo
BqPcMzdwwJoV8A1zCVVf9KlXefRP+MJf/9oJF4j6WQhCCcdJU6XKWvRNXayY1rj1
Zqp9wASZwe45oBSi+VFLZmCYmNxWU5+0SA3myEk29MdI1AZwE8UZ69YFaPVPPOwa
yy4k7LKiNgzJFRxtBixEJDBQ5/Ne8hKlmLoIbGDqQx/6GWcVYciJ1uck4imukXwC
ci0W99z3ekMFHMTpFkizYK1+tBhSHgm1x5HUktwB0vzXQm2jC97gdA1O0zYs2oV4
4CTGOBPxeLvXobmUh2I9wDivjmUZ5VEgMhSfifeq2Gft3kxMDWiJYaGxZbASv3JF
uBejrSx/YFbBZLhOrVf8fI9zl1JB0XBs2w3moQL6Kf+3/3bayQiZcD2zuLiLNpGM
AIELvuDzTdw8fV2oWFNgHbBmNYVmS//rWqFtoJ9lHfDsr7TYsZt3RFm4PPtIgPwE
6J8WPc9KNWgWTkrC97IC8HJ8eOAwGCsE3TDtnTJrrfL0YsUhhoV0k2UOfYSoefeI
o4Ru/tkD7PuCHqTFbjWh
=BISb
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: