Date: Sun, 12 Oct 2014 10:19:40 -0600 From: Kurt Seifried <kseifried@...hat.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, Assign a CVE Identifier <cve-assign@...re.org> Subject: perl-Razor-Agent logs to /razor-agent.log by default So today I was logged into some mail servers and ls -la / and had a minor panic: -rw-r--r--. 1 root root 2275 Oct 12 04:15 razor-agent.log Generally speaking I'm not expecting log files in / unless it's some sort of malware. A brief investigation and no panic, it's the perl-Razor-Agent, which on RHEL/Fedora is supposed to log to /var/log/razor-agent.log but doesn't due to some HOME shenanigans: https://bugzilla.redhat.com/show_bug.cgi?id=1058772 This log file grows slowly, basically one entry per day/reboot: Oct 12 16:13:17.347744 check: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log but it won't ever get logrotated, and on a system with a very tight /, e.g. a cloud system maybe using immutable images that only have a few spare k on / (and /var/log/ on another partition or whatever) this could be an issue. I'm inclined to not call this a DoS as even over a year it'll only be a few tens of kb, and it doesn't appear that the attacker can trigger faster growth, but I can see situations where this could be a problem. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ