From: Zhixiong Chi <zhixiong.chi@windriver.com>
To: ChenQi <Qi.Chen@windriver.com>,
<openembedded-devel@lists.openembedded.org>
Subject: Re: [meta-oe][PATCH] rsyslog: CVE-2015-3243
Date: Mon, 21 Aug 2017 11:35:09 +0800 [thread overview]
Message-ID: <599A54ED.40107@windriver.com> (raw)
In-Reply-To: <aeb82095-e155-f526-73a3-6f8259375ad9@windriver.com>
On 2017年08月21日 10:20, ChenQi wrote:
> On 08/20/2017 10:51 AM, Zhixiong Chi wrote:
>> rsyslog uses weak permissions for generating log files, which allows
>> local users to obtain sensitive information by reading files in
>> /var/log/cron.log
>>
>> We add "create 0600 root root" to the /etc/logrotate.d/syslog file,
>> this will ensure the file is created with permissions when logrotate
>> runs. It is also recommended that users manually set the permissions
>> on existing or newly installed log files in order to prevent access
>> by untrusted users.
>> https://bugzilla.redhat.com/show_bug.cgi?id=1232826
>>
>> CVE: CVE-2015-3243
>>
>> Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
>> ---
>> meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git
>> a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
>> b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
>> index 94ec517..7960815 100644
>> --- a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
>> +++ b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
>> @@ -23,6 +23,9 @@
>> /var/log/user.log
>> /var/log/lpr.log
>> /var/log/cron.log
>> +{
>> + create 0600 root root
>> +}
>> /var/log/debug
>> /var/log/messages
>> {
>
>
> Hi Zhixiong,
>
> I also did some testing about this issue.
>
> We use '0640' for these log files, owner is root and group is adm. So
> they are not world readable.
>
> And I also tried logroate command on target to recreate these log
> files. They are created with 0640 file permission. (I checked the conf
> files, not sure why 0640 is used by default.) You could double check
> it if you like.
>
> (I used 'logroate -f /etc/logroate.conf' command to do the test.)
>
> P.S. Even if we want to do something, we should use 'create 0640 root
> adm'.
>
> Best Regards,
>
> Chen Qi
>
Yeah, I agree with you. Thanks for your reminder.
Since we use the default 0640 permission, we don't need this patch any more.
Thanks.
--
---------------------
Thanks,
Zhixiong Chi
Tel: +86-10-8477-7036
prev parent reply other threads:[~2017-08-21 3:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-20 2:51 [meta-oe][PATCH] rsyslog: CVE-2015-3243 Zhixiong Chi
2017-08-21 2:20 ` ChenQi
2017-08-21 3:35 ` Zhixiong Chi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=599A54ED.40107@windriver.com \
--to=zhixiong.chi@windriver.com \
--cc=Qi.Chen@windriver.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.