Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 12 Oct 2014 10:19:40 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
        Assign a CVE Identifier <cve-assign@...re.org>
Subject: perl-Razor-Agent logs to /razor-agent.log by default

So today I was logged into some mail servers and ls -la / and had a
minor panic:

-rw-r--r--.  1 root root  2275 Oct 12 04:15 razor-agent.log

Generally speaking I'm not expecting log files in / unless it's some
sort of malware. A brief investigation and no panic, it's the
perl-Razor-Agent, which on RHEL/Fedora is supposed to log to
/var/log/razor-agent.log but doesn't due to some HOME shenanigans:

https://bugzilla.redhat.com/show_bug.cgi?id=1058772

This log file grows slowly, basically one entry per day/reboot:

Oct 12 16:13:17.347744 check[835]: [ 2] [bootup] Logging initiated
LogDebugLevel=3 to file:razor-agent.log

but it won't ever get logrotated, and on a system with a very tight /,
e.g. a cloud system maybe using immutable images that only have a few
spare k on / (and /var/log/ on another partition or whatever) this could
be an issue.

I'm inclined to not call this a DoS as even over a year it'll only be a
few tens of kb, and it doesn't appear that the attacker can trigger
faster growth, but I can see situations where this could be a problem.


-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ