Project

General

Profile

Bug #25657

Fix permissions on logs

Added by Wido den Hollander about 1 year ago. Updated 12 months ago.

Status:
Resolved
Priority:
Important
Assignee:
William Grzybowski
Category:
OS
Target version:
Seen in:
Sprint:
Severity:
New
Backlog Priority:
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

On a FreeNAS 11.0 U2 system I found that any user on the system can read various logs:

xkw7qn97f4st@store01:/var/log/nginx % ls -al /var/log/nginx
total 83
drwxr-xr-x  2 root  wheel       5 Aug 22 00:00 .
drwxr-xr-x  7 root  wheel      57 Aug 23 03:05 ..
-rw-r--r--  1 www   www    197027 Aug 23 08:35 access.log
-rw-r--r--  1 www   www     12482 Aug 22 00:00 access.log.0.bz2
-rw-r--r--  1 root  wheel       0 Aug 11 03:43 error.log
xkw7qn97f4st@store01:/var/log/nginx % 
xkw7qn97f4st@store01:/var/log % ls -al messages*
-rw-------  1 root  wheel  28765 Aug 23 08:30 messages
-rw-r--r--  1 root  wheel  30232 Aug 22 00:00 messages.0.bz2
-rw-r--r--  1 root  wheel  14597 Aug 13 09:00 messages.1.bz2
xkw7qn97f4st@store01:/var/log %

The compressed logs are world readable.

I however think that the nginx logs are logs which primarily shouldn't be world readable as they contain sensitive information about IPs and actions of admins.

Associated revisions

Revision df70e5c8 (diff)
Added by William Grzybowski about 1 year ago

feat(middlewared): make sure middlewared.log is not world readable

Ticket: #25657

Revision 9c9d5d51 (diff)
Added by William Grzybowski about 1 year ago

fix(src): do not rotate some world readable logs

Ticket: #25657

Revision 23092af6 (diff)
Added by William Grzybowski about 1 year ago

fix(src): use custom login class with umask for not world readable log

Ticket: #25657

Revision 2b87831d (diff)
Added by William Grzybowski about 1 year ago

feat(middlewared): make sure middlewared.log is not world readable

Ticket: #25657

Revision 5a15dcba (diff)
Added by William Grzybowski about 1 year ago

fix(src): do not rotate some world readable logs

Ticket: #25657

Revision 5296d39c (diff)
Added by William Grzybowski about 1 year ago

fix(src): use custom login class with umask for not world readable log

Ticket: #25657

History

#1 Updated by Dru Lavigne about 1 year ago

  • Assignee changed from Release Council to William Grzybowski

William: what are your thoughts on this one?

#2 Updated by William Grzybowski about 1 year ago

  • Status changed from Unscreened to Screened
  • Priority changed from No priority to Important
  • Target version set to 11.1

The user is right, they should not be.

#3 Updated by William Grzybowski about 1 year ago

  • Status changed from Screened to Ready For Release

#4 Updated by Dru Lavigne about 1 year ago

  • Subject changed from Logs are world readable to Fix permissions on logs

#5 Updated by Dru Lavigne about 1 year ago

  • Target version changed from 11.1 to 11.1-BETA1

#6 Updated by Dru Lavigne 12 months ago

  • Status changed from Ready For Release to Resolved

#7 Updated by Joe Maloney 12 months ago

  • Needs QA changed from Yes to No
  • QA Status Test Passes FreeNAS added
  • QA Status deleted (Not Tested)

Also available in: Atom PDF