Bug #25657: Fix permissions on logs - FreeNAS - iXsystems & FreeNAS Redmine

Bug #25657

Fix permissions on logs

Added by Wido den Hollander over 3 years ago. Updated about 3 years ago.

Status:

Resolved

Priority:

Important

Assignee:

William Grzybowski

Category:

Target version:

11.1-BETA1

Seen in:

11.0-U2

Severity:

New

Reason for Closing:

Reason for Blocked:

Needs QA:

Needs Doc:

Yes

Needs Merging:

Yes

Needs Automation:

Support Suite Ticket:

n/a

Hardware Configuration:

ChangeLog Required:

Description

On a FreeNAS 11.0 U2 system I found that any user on the system can read various logs:

xkw7qn97f4st@store01:/var/log/nginx % ls -al /var/log/nginx
total 83
drwxr-xr-x  2 root  wheel       5 Aug 22 00:00 .
drwxr-xr-x  7 root  wheel      57 Aug 23 03:05 ..
-rw-r--r--  1 www   www    197027 Aug 23 08:35 access.log
-rw-r--r--  1 www   www     12482 Aug 22 00:00 access.log.0.bz2
-rw-r--r--  1 root  wheel       0 Aug 11 03:43 error.log
xkw7qn97f4st@store01:/var/log/nginx %

xkw7qn97f4st@store01:/var/log % ls -al messages*
-rw-------  1 root  wheel  28765 Aug 23 08:30 messages
-rw-r--r--  1 root  wheel  30232 Aug 22 00:00 messages.0.bz2
-rw-r--r--  1 root  wheel  14597 Aug 13 09:00 messages.1.bz2
xkw7qn97f4st@store01:/var/log %

The compressed logs are world readable.

I however think that the nginx logs are logs which primarily shouldn't be world readable as they contain sensitive information about IPs and actions of admins.

Associated revisions

Revision df70e5c8 (diff)
Added by William Grzybowski over 3 years ago

feat(middlewared): make sure middlewared.log is not world readable Ticket: #25657

Revision 9c9d5d51 (diff)
Added by William Grzybowski over 3 years ago

fix(src): do not rotate some world readable logs Ticket: #25657

Revision 23092af6 (diff)
Added by William Grzybowski over 3 years ago

fix(src): use custom login class with umask for not world readable log Ticket: #25657

Revision 2b87831d (diff)
Added by William Grzybowski over 3 years ago

feat(middlewared): make sure middlewared.log is not world readable Ticket: #25657

Revision 5a15dcba (diff)
Added by William Grzybowski over 3 years ago

fix(src): do not rotate some world readable logs Ticket: #25657

Revision 5296d39c (diff)
Added by William Grzybowski over 3 years ago

fix(src): use custom login class with umask for not world readable log Ticket: #25657

History

#1 Updated by Dru Lavigne over 3 years ago

Assignee changed from Release Council to William Grzybowski

William: what are your thoughts on this one?

#2 Updated by William Grzybowski over 3 years ago

Status changed from Unscreened to Screened
Priority changed from No priority to Important
Target version set to 11.1

The user is right, they should not be.

#3 Updated by William Grzybowski over 3 years ago

Status changed from Screened to Ready For Release

#4 Updated by Dru Lavigne over 3 years ago

Subject changed from Logs are world readable to Fix permissions on logs

#5 Updated by Dru Lavigne over 3 years ago

Target version changed from 11.1 to 11.1-BETA1

#6 Updated by Dru Lavigne about 3 years ago

Status changed from Ready For Release to Resolved

#7 Updated by Joe Maloney about 3 years ago

Needs QA changed from Yes to No
QA Status Test Passes FreeNAS added
QA Status deleted (~~Not Tested~~)

Also available in: Atom PDF

Project

General

Profile

FreeNAS

Issues

Tags

Custom queries