[meta-oe][PATCH] rsyslog: CVE-2015-3243

[meta-oe][PATCH] rsyslog: CVE-2015-3243

[Zhixiong Chi]

rsyslog uses weak permissions for generating log files, which allows
local users to obtain sensitive information by reading files in
/var/log/cron.log

We add "create 0600 root root" to the /etc/logrotate.d/syslog file,
this will ensure the file is created with permissions when logrotate
runs. It is also recommended that users manually set the permissions
on existing or newly installed log files in order to prevent access
by untrusted users.
https://bugzilla.redhat.com/show_bug.cgi?id=1232826

CVE: CVE-2015-3243

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
 meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
index 94ec517..7960815 100644
--- a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
+++ b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
@@ -23,6 +23,9 @@
 /var/log/user.log
 /var/log/lpr.log
 /var/log/cron.log
+{
+        create 0600 root root
+}
 /var/log/debug
 /var/log/messages
 {
-- 
1.9.1

Re: [meta-oe][PATCH] rsyslog: CVE-2015-3243

[ChenQi]

On 08/20/2017 10:51 AM, Zhixiong Chi wrote:
> rsyslog uses weak permissions for generating log files, which allows
> local users to obtain sensitive information by reading files in
> /var/log/cron.log
>
> We add "create 0600 root root" to the /etc/logrotate.d/syslog file,
> this will ensure the file is created with permissions when logrotate
> runs. It is also recommended that users manually set the permissions
> on existing or newly installed log files in order to prevent access
> by untrusted users.
> https://bugzilla.redhat.com/show_bug.cgi?id=1232826
>
> CVE: CVE-2015-3243
>
> Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
> ---
>   meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
> index 94ec517..7960815 100644
> --- a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
> +++ b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
> @@ -23,6 +23,9 @@
>   /var/log/user.log
>   /var/log/lpr.log
>   /var/log/cron.log
> +{
> +        create 0600 root root
> +}
>   /var/log/debug
>   /var/log/messages
>   {


Hi Zhixiong,

I also did some testing about this issue.

We use '0640' for these log files, owner is root and group is adm. So 
they are not world readable.

And I also tried logroate command on target to recreate these log files. 
They are created with 0640 file permission. (I checked the conf files, 
not sure why 0640 is used by default.) You could double check it if you 
like.

(I used 'logroate -f /etc/logroate.conf' command to do the test.)

P.S. Even if we want to do something, we should use 'create 0640 root adm'.

Best Regards,

Chen Qi

Re: [meta-oe][PATCH] rsyslog: CVE-2015-3243

[Zhixiong Chi]

On 2017年08月21日 10:20, ChenQi wrote:
> On 08/20/2017 10:51 AM, Zhixiong Chi wrote:
>> rsyslog uses weak permissions for generating log files, which allows
>> local users to obtain sensitive information by reading files in
>> /var/log/cron.log
>>
>> We add "create 0600 root root" to the /etc/logrotate.d/syslog file,
>> this will ensure the file is created with permissions when logrotate
>> runs. It is also recommended that users manually set the permissions
>> on existing or newly installed log files in order to prevent access
>> by untrusted users.
>> https://bugzilla.redhat.com/show_bug.cgi?id=1232826
>>
>> CVE: CVE-2015-3243
>>
>> Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
>> ---
>>   meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git 
>> a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate 
>> b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
>> index 94ec517..7960815 100644
>> --- a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
>> +++ b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
>> @@ -23,6 +23,9 @@
>>   /var/log/user.log
>>   /var/log/lpr.log
>>   /var/log/cron.log
>> +{
>> +        create 0600 root root
>> +}
>>   /var/log/debug
>>   /var/log/messages
>>   {
>
>
> Hi Zhixiong,
>
> I also did some testing about this issue.
>
> We use '0640' for these log files, owner is root and group is adm. So 
> they are not world readable.
>
> And I also tried logroate command on target to recreate these log 
> files. They are created with 0640 file permission. (I checked the conf 
> files, not sure why 0640 is used by default.) You could double check 
> it if you like.
>
> (I used 'logroate -f /etc/logroate.conf' command to do the test.)
>
> P.S. Even if we want to do something, we should use 'create 0640 root 
> adm'.
>
> Best Regards,
>
> Chen Qi
>
Yeah, I agree with you. Thanks for your reminder.
Since we use the default 0640 permission, we don't need this patch any more.

Thanks.

-- 
---------------------
Thanks,
Zhixiong Chi
Tel: +86-10-8477-7036