oss-sec mailing list archives
Re: nginx world-readable logdir
From: gremlin () gremlin ru
Date: Fri, 22 Feb 2013 15:46:15 +0400
On 22-Feb-2013 10:49:38 +0200, Henri Salo wrote:
So I think that ${subject} is just a misconfiguration.
Welp I confirmed it on Fedora 16. So at least some things are affected.
Some distros are affected.
Alas for them... But the solution is simple.
Good to hear not all are.
%install # ... mkdir -pm750 %{buildroot}%{_localstatedir}/log/%{name} touch %{buildroot}%{_localstatedir}/log/%{name}/access.log \ %{buildroot}%{_localstatedir}/log/%{name}/error.log %post # ... touch %{_localstatedir}/log/%{name}/access.log \ %{_localstatedir}/log/%{name}/error.log chown -R root:wheel %{_localstatedir}/log/%{name} chmod 750 %{_localstatedir}/log/%{name} chmod 640 %{_localstatedir}/log/%{name}/* # ... %files # ... %ghost %{_localstatedir}/log/%{name}/access.log %ghost %{_localstatedir}/log/%{name}/error.log The use of `touch` is preferred as it doesn't trash the existing logs on package update, and explicit `chmod` and `chown` ensure that their permissions are correct (Captain Obvious to the rescue, I know).
This is not just misconfiguration.
This issue isn't related to the nginx itself. However, I'd agree that nginx could use restrictive mode for its' log files: diff -burpN nginx-1.2.7.orig/src/core/ngx_log.c nginx-1.2.7/src/core/ngx_log.c --- nginx-1.2.7.orig/src/core/ngx_log.c 2012-01-18 19:07:43.000000000 +0400 +++ nginx-1.2.7/src/core/ngx_log.c 2013-02-22 15:42:04.000000000 +0400 @@ -325,7 +325,7 @@ ngx_log_init(u_char *prefix) ngx_log_file.fd = ngx_open_file(name, NGX_FILE_APPEND, NGX_FILE_CREATE_OR_OPEN, - NGX_FILE_DEFAULT_ACCESS); + NGX_FILE_USR_GRP_ACCESS); if (ngx_log_file.fd == NGX_INVALID_FILE) { ngx_log_stderr(ngx_errno, diff -burpN nginx-1.2.7.orig/src/os/unix/ngx_files.h nginx-1.2.7/src/os/unix/ngx_files.h --- nginx-1.2.7.orig/src/os/unix/ngx_files.h 2012-03-27 20:42:34.000000000 +0400 +++ nginx-1.2.7/src/os/unix/ngx_files.h 2013-02-22 15:41:22.000000000 +0400 @@ -98,6 +98,7 @@ typedef struct { #endif /* NGX_HAVE_OPENAT */ #define NGX_FILE_DEFAULT_ACCESS 0644 +#define NGX_FILE_USR_GRP_ACCESS 0640 #define NGX_FILE_OWNER_ACCESS 0600 -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8
Current thread:
- CVE request: nginx world-readable logdir, (continued)
- CVE request: nginx world-readable logdir Henri Salo (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: CVE request: nginx world-readable logdir Anders Petersson (Feb 21)
- Re: CVE request: nginx world-readable logdir Anders Petersson (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- CVE request: nginx world-readable logdir Henri Salo (Feb 21)
- Re: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: nginx world-readable logdir gremlin (Feb 22)
- Re: nginx world-readable logdir Kurt Seifried (Feb 22)
- Re: nginx world-readable logdir Henri Salo (Feb 22)
- Re: nginx world-readable logdir gremlin (Feb 22)
- nginx CVE-2013-0337 world-readable logs gremlin (Feb 23)
- Re: nginx CVE-2013-0337 world-readable logs Kurt Seifried (Feb 24)