Bug #25657
Fix permissions on logs
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No
Description
On a FreeNAS 11.0 U2 system I found that any user on the system can read various logs:
xkw7qn97f4st@store01:/var/log/nginx % ls -al /var/log/nginx total 83 drwxr-xr-x 2 root wheel 5 Aug 22 00:00 . drwxr-xr-x 7 root wheel 57 Aug 23 03:05 .. -rw-r--r-- 1 www www 197027 Aug 23 08:35 access.log -rw-r--r-- 1 www www 12482 Aug 22 00:00 access.log.0.bz2 -rw-r--r-- 1 root wheel 0 Aug 11 03:43 error.log xkw7qn97f4st@store01:/var/log/nginx %
xkw7qn97f4st@store01:/var/log % ls -al messages* -rw------- 1 root wheel 28765 Aug 23 08:30 messages -rw-r--r-- 1 root wheel 30232 Aug 22 00:00 messages.0.bz2 -rw-r--r-- 1 root wheel 14597 Aug 13 09:00 messages.1.bz2 xkw7qn97f4st@store01:/var/log %
The compressed logs are world readable.
I however think that the nginx logs are logs which primarily shouldn't be world readable as they contain sensitive information about IPs and actions of admins.
Associated revisions
feat(middlewared): make sure middlewared.log is not world readable
Ticket: #25657
fix(src): do not rotate some world readable logs
Ticket: #25657
fix(src): use custom login class with umask for not world readable log
Ticket: #25657
feat(middlewared): make sure middlewared.log is not world readable
Ticket: #25657
fix(src): do not rotate some world readable logs
Ticket: #25657
fix(src): use custom login class with umask for not world readable log
Ticket: #25657
History
#1
Updated by Dru Lavigne over 3 years ago
- Assignee changed from Release Council to William Grzybowski
William: what are your thoughts on this one?
#2
Updated by William Grzybowski over 3 years ago
- Status changed from Unscreened to Screened
- Priority changed from No priority to Important
- Target version set to 11.1
The user is right, they should not be.
#3
Updated by William Grzybowski over 3 years ago
- Status changed from Screened to Ready For Release
#4
Updated by Dru Lavigne over 3 years ago
- Subject changed from Logs are world readable to Fix permissions on logs
#5
Updated by Dru Lavigne over 3 years ago
- Target version changed from 11.1 to 11.1-BETA1
#6
Updated by Dru Lavigne about 3 years ago
- Status changed from Ready For Release to Resolved
#7
Updated by Joe Maloney about 3 years ago
- Needs QA changed from Yes to No
- QA Status Test Passes FreeNAS added
- QA Status deleted (
Not Tested)