Re: nginx CVE-2013-0337 world-readable logs

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/24/2013 12:34 AM, gremlin () gremlin ru wrote:
> On 22-Feb-2013 15:46:15 +0400, I wrote:
>
> > > Some distros are affected.
>
> > Alas for them... But the solution is simple.
>
> > > This is not just misconfiguration.
>
> > This issue isn't related to the nginx itself. However, I'd agree
> > that nginx could use restrictive mode for its' log files: +++
> > nginx-1.2.7/src/core/ngx_log.c @@ -325,7 +325,7 @@ -
> > NGX_FILE_DEFAULT_ACCESS); +  NGX_FILE_USR_GRP_ACCESS);
>
> I've contacted the nginx team via their security-alert@ and got the
> "won't fix" answer by Maxim Dounin:
>
> > We are fine with default permissions used for log files. If in a
> > particular configuration stricter permissions are required, this
> > may be done either by creating appropriate log files with needed
> > permissions, or by restricting access to a directory with log
> > files.
>
> Although respecting the umask value could be a better solution (and
> I'll try once again to convince the developers in that), the
> developers' opinion is clear: pre-creating the logs is the expected
> method to fix the ${subject}.

I somewhat disagree for the simple fact that web servers MUST log
sensitive information (e.g. GET strings) to be of any use. This goes
back to the discussion regarding programs such as gpg. Personally I
would rather see the log files (ALL log files for ALL programs
actually) created using a default permission that is safe (e.g. 0600
or 0660 if it writes to it with the group permissions), but can be
configured and easily overridden in a config file (e.g. nginx.conf) so
that people that have a legitimate need for world readable log files
can do so easily.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRKncVAAoJEBYNRVNeJnmT1J0QAITraA2TQQ75m+Kje4vzp3b+
db+q3RbrEaY+5VdrtWCq16LNIzpU08Zh6qhoHx15KTrk9QJ996foYDfhiuuDaXT5
vvtDjPv4ddgzuh4iQbz1BVpI/XQ2PBuac9rbvZmExQqxA4Bis5IJGckgoVY299Os
gnEQcoU04+nAntMH3lH/6rAJ7GM00Y05Tca7dXc6Y1aKi9coRcIlqZgMO+Fkzgys
nYTFLoR7BA2O5znWxVBqPHNeXFLZgh0JPPnCfyCtAKiVr8cKuDfX36IKz8wCD66c
Dw6204V3MnkN/xNZUguFnbkbROfzAaCt6JXWRC0Ye2AcsWvHqbagYfXaOQ/5UMNT
2QEB6LvWzfcmIAOguEffCYLYDWoMsQI2M5whK7VAO/nniHN+3frOSkz2SHqpfqSe
fEyre6oVf3i/1IJaWPWKEst7RZVSte8Pgwnef2C7sGjnuINt2FBH9RQLHLDV79E5
7Bbd6KWmC6mZULGZvwZm7jdMpwnPj0gyJiumXPXdFcPfMGw3Sc/8aIB6kEUM4Puf
F7UCPRene3OaI5xtAXXC3RglBBD3kHLSF146Ng2Qvo/zUj3mNj5pa6qouiMJ3Kkb
cqIp59Sbn0zWCkOVWhgsvDMgL/5F0bmw178ttRA17fBzb178ox2VY0NnUmQWBytz
Q4OBraQ+yCIzS3cGO+FA
=EBGC
-----END PGP SIGNATURE-----