oss-sec mailing list archives
Re: nginx world-readable logdir
From: gremlin () gremlin ru
Date: Fri, 22 Feb 2013 12:15:30 +0400
On 22-Feb-2013 00:29:48 -0700, Kurt Seifried wrote:
I just noticed my nginx logdir and its content are world-readable: What do you think about?About misconfiguration? Nothing: % grep create /etc/logrotate.d/nginx create 640 root wheelWhat are the initial permissions prior to log rotation?
Of course, exactly the same - 640, root:wheel :-)
I've built my own package (for Openwall GNU/*/Linux, not yet
in mainstream), and there I use explicit log file creation in
the %post section (touch && chown && chmod) without relying
on a umask (although in Owl it's restrictive by default: 077).
So I think that ${subject} is just a misconfiguration.
--
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8
Current thread:
- nginx world-readable logdir Agostino Sarubbo (Feb 21)
- Re: nginx world-readable logdir Henri Salo (Feb 21)
- CVE request: nginx world-readable logdir Henri Salo (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: CVE request: nginx world-readable logdir Anders Petersson (Feb 21)
- Re: CVE request: nginx world-readable logdir Anders Petersson (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: nginx world-readable logdir gremlin (Feb 22)
- Re: nginx world-readable logdir Kurt Seifried (Feb 22)
- Re: nginx world-readable logdir Henri Salo (Feb 22)
- Re: nginx world-readable logdir gremlin (Feb 22)
- nginx CVE-2013-0337 world-readable logs gremlin (Feb 23)
- Re: nginx CVE-2013-0337 world-readable logs Kurt Seifried (Feb 24)