oss-sec mailing list archives
Re: nginx world-readable logdir
From: gremlin () gremlin ru
Date: Fri, 22 Feb 2013 15:46:15 +0400
On 22-Feb-2013 10:49:38 +0200, Henri Salo wrote:
So I think that ${subject} is just a misconfiguration.
Welp I confirmed it on Fedora 16. So at least some things are affected.
Some distros are affected.
Alas for them... But the solution is simple.
Good to hear not all are.
%install
# ...
mkdir -pm750 %{buildroot}%{_localstatedir}/log/%{name}
touch %{buildroot}%{_localstatedir}/log/%{name}/access.log \
%{buildroot}%{_localstatedir}/log/%{name}/error.log
%post
# ...
touch %{_localstatedir}/log/%{name}/access.log \
%{_localstatedir}/log/%{name}/error.log
chown -R root:wheel %{_localstatedir}/log/%{name}
chmod 750 %{_localstatedir}/log/%{name}
chmod 640 %{_localstatedir}/log/%{name}/*
# ...
%files
# ...
%ghost %{_localstatedir}/log/%{name}/access.log
%ghost %{_localstatedir}/log/%{name}/error.log
The use of `touch` is preferred as it doesn't trash the existing logs
on package update, and explicit `chmod` and `chown` ensure that their
permissions are correct (Captain Obvious to the rescue, I know).
This is not just misconfiguration.
This issue isn't related to the nginx itself.
However, I'd agree that nginx could use restrictive mode for its' log
files:
diff -burpN nginx-1.2.7.orig/src/core/ngx_log.c nginx-1.2.7/src/core/ngx_log.c
--- nginx-1.2.7.orig/src/core/ngx_log.c 2012-01-18 19:07:43.000000000 +0400
+++ nginx-1.2.7/src/core/ngx_log.c 2013-02-22 15:42:04.000000000 +0400
@@ -325,7 +325,7 @@ ngx_log_init(u_char *prefix)
ngx_log_file.fd = ngx_open_file(name, NGX_FILE_APPEND,
NGX_FILE_CREATE_OR_OPEN,
- NGX_FILE_DEFAULT_ACCESS);
+ NGX_FILE_USR_GRP_ACCESS);
if (ngx_log_file.fd == NGX_INVALID_FILE) {
ngx_log_stderr(ngx_errno,
diff -burpN nginx-1.2.7.orig/src/os/unix/ngx_files.h nginx-1.2.7/src/os/unix/ngx_files.h
--- nginx-1.2.7.orig/src/os/unix/ngx_files.h 2012-03-27 20:42:34.000000000 +0400
+++ nginx-1.2.7/src/os/unix/ngx_files.h 2013-02-22 15:41:22.000000000 +0400
@@ -98,6 +98,7 @@ typedef struct {
#endif /* NGX_HAVE_OPENAT */
#define NGX_FILE_DEFAULT_ACCESS 0644
+#define NGX_FILE_USR_GRP_ACCESS 0640
#define NGX_FILE_OWNER_ACCESS 0600
--
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8
Current thread:
- CVE request: nginx world-readable logdir, (continued)
- CVE request: nginx world-readable logdir Henri Salo (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: CVE request: nginx world-readable logdir Anders Petersson (Feb 21)
- Re: CVE request: nginx world-readable logdir Anders Petersson (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- CVE request: nginx world-readable logdir Henri Salo (Feb 21)
- Re: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: nginx world-readable logdir gremlin (Feb 22)
- Re: nginx world-readable logdir Kurt Seifried (Feb 22)
- Re: nginx world-readable logdir Henri Salo (Feb 22)
- Re: nginx world-readable logdir gremlin (Feb 22)
- nginx CVE-2013-0337 world-readable logs gremlin (Feb 23)
- Re: nginx CVE-2013-0337 world-readable logs Kurt Seifried (Feb 24)