From: Zhixiong Chi <zhixiong.chi@windriver.com>
To: ChenQi <Qi.Chen@windriver.com>,
<openembedded-devel@lists.openembedded.org>
Subject: Re: [meta-oe][PATCH] rsyslog: CVE-2015-3243
Date: Mon, 21 Aug 2017 11:35:09 +0800 [thread overview]
Message-ID: <599A54ED.40107@windriver.com> (raw)
In-Reply-To: <aeb82095-e155-f526-73a3-6f8259375ad9@windriver.com>
On 2017年08月21日 10:20, ChenQi wrote:
> On 08/20/2017 10:51 AM, Zhixiong Chi wrote:
>> rsyslog uses weak permissions for generating log files, which allows
>> local users to obtain sensitive information by reading files in
>> /var/log/cron.log
>>
>> We add "create 0600 root root" to the /etc/logrotate.d/syslog file,
>> this will ensure the file is created with permissions when logrotate
>> runs. It is also recommended that users manually set the permissions
>> on existing or newly installed log files in order to prevent access
>> by untrusted users.
>> https://bugzilla.redhat.com/show_bug.cgi?id=1232826
>>
>> CVE: CVE-2015-3243
>>
>> Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
>> ---
>> meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git
>> a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
>> b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
>> index 94ec517..7960815 100644
>> --- a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
>> +++ b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
>> @@ -23,6 +23,9 @@
>> /var/log/user.log
>> /var/log/lpr.log
>> /var/log/cron.log
>> +{
>> + create 0600 root root
>> +}
>> /var/log/debug
>> /var/log/messages
>> {
>
>
> Hi Zhixiong,
>
> I also did some testing about this issue.
>
> We use '0640' for these log files, owner is root and group is adm. So
> they are not world readable.
>
> And I also tried logroate command on target to recreate these log
> files. They are created with 0640 file permission. (I checked the conf
> files, not sure why 0640 is used by default.) You could double check
> it if you like.
>
> (I used 'logroate -f /etc/logroate.conf' command to do the test.)
>
> P.S. Even if we want to do something, we should use 'create 0640 root
> adm'.
>
> Best Regards,
>
> Chen Qi
>
Yeah, I agree with you. Thanks for your reminder.
Since we use the default 0640 permission, we don't need this patch any more.
Thanks.
--
---------------------
Thanks,
Zhixiong Chi
Tel: +86-10-8477-7036
prev parent reply other threads:[~2017-08-21 3:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-20 2:51 [meta-oe][PATCH] rsyslog: CVE-2015-3243 Zhixiong Chi
2017-08-21 2:20 ` ChenQi
2017-08-21 3:35 ` Zhixiong Chi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=599A54ED.40107@windriver.com \
--to=zhixiong.chi@windriver.com \
--cc=Qi.Chen@windriver.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox