oss-sec mailing list archives
Re: nginx world-readable logdir
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 22 Feb 2013 01:41:50 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/22/2013 01:15 AM, gremlin () gremlin ru wrote:
On 22-Feb-2013 00:29:48 -0700, Kurt Seifried wrote:I just noticed my nginx logdir and its content are world-readable: What do you think about?About misconfiguration? Nothing: % grep create /etc/logrotate.d/nginx create 640 root wheelWhat are the initial permissions prior to log rotation?Of course, exactly the same - 640, root:wheel :-) I've built my own package (for Openwall GNU/*/Linux, not yet in mainstream), and there I use explicit log file creation in the %post section (touch && chown && chmod) without relying on a umask (although in Owl it's restrictive by default: 077). So I think that ${subject} is just a misconfiguration.
Welp I confirmed it on Fedora 16. So at least some things are affected. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRJy9OAAoJEBYNRVNeJnmTqeoQAJsmGuKwYm5nVMAfTuiu7QVk NOCgaa32zYOTeBCCVcMUf3m1f95EgSUUMun939PkEdIEdF67HPaO2uqOsxIv/GUo oAsdGfX3vnnYBHBOdiGaixhkctl8oPGHKELQ8QgVKYCsWq7XMvS+shoIh0nMfPQo BqPcMzdwwJoV8A1zCVVf9KlXefRP+MJf/9oJF4j6WQhCCcdJU6XKWvRNXayY1rj1 Zqp9wASZwe45oBSi+VFLZmCYmNxWU5+0SA3myEk29MdI1AZwE8UZ69YFaPVPPOwa yy4k7LKiNgzJFRxtBixEJDBQ5/Ne8hKlmLoIbGDqQx/6GWcVYciJ1uck4imukXwC ci0W99z3ekMFHMTpFkizYK1+tBhSHgm1x5HUktwB0vzXQm2jC97gdA1O0zYs2oV4 4CTGOBPxeLvXobmUh2I9wDivjmUZ5VEgMhSfifeq2Gft3kxMDWiJYaGxZbASv3JF uBejrSx/YFbBZLhOrVf8fI9zl1JB0XBs2w3moQL6Kf+3/3bayQiZcD2zuLiLNpGM AIELvuDzTdw8fV2oWFNgHbBmNYVmS//rWqFtoJ9lHfDsr7TYsZt3RFm4PPtIgPwE 6J8WPc9KNWgWTkrC97IC8HJ8eOAwGCsE3TDtnTJrrfL0YsUhhoV0k2UOfYSoefeI o4Ru/tkD7PuCHqTFbjWh =BISb -----END PGP SIGNATURE-----
Current thread:
- nginx world-readable logdir Agostino Sarubbo (Feb 21)
- Re: nginx world-readable logdir Henri Salo (Feb 21)
- CVE request: nginx world-readable logdir Henri Salo (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: CVE request: nginx world-readable logdir Anders Petersson (Feb 21)
- Re: CVE request: nginx world-readable logdir Anders Petersson (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: nginx world-readable logdir gremlin (Feb 22)
- Re: nginx world-readable logdir Kurt Seifried (Feb 22)
- Re: nginx world-readable logdir Henri Salo (Feb 22)
- Re: nginx world-readable logdir gremlin (Feb 22)
- nginx CVE-2013-0337 world-readable logs gremlin (Feb 23)
- Re: nginx CVE-2013-0337 world-readable logs Kurt Seifried (Feb 24)