Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 24 Feb 2013 11:34:47 +0400
From: gremlin@...mlin.ru
To: oss-security@...ts.openwall.com
Subject: nginx CVE-2013-0337 world-readable logs

On 22-Feb-2013 15:46:15 +0400, I wrote:

 >> Some distros are affected.

 > Alas for them... But the solution is simple.

 >> This is not just misconfiguration.     

 > This issue isn't related to the nginx itself.
 > However, I'd agree that nginx could use restrictive mode for
 > its' log files:
 > +++ nginx-1.2.7/src/core/ngx_log.c
 > @@ -325,7 +325,7 @@
 > -  NGX_FILE_DEFAULT_ACCESS);
 > +  NGX_FILE_USR_GRP_ACCESS);

I've contacted the nginx team via their security-alert@ and got
the "won't fix" answer by Maxim Dounin:

 > We are fine with default permissions used for log files.
 > If in a particular configuration stricter permissions are
 > required, this may be done either by creating appropriate
 > log files with needed permissions, or by restricting access
 > to a directory with log files.

Although respecting the umask value could be a better solution
(and I'll try once again to convince the developers in that),
the developers' opinion is clear: pre-creating the logs is the
expected method to fix the ${subject}.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin  gremlin  ru>
GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ