Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 18 Jun 2015 11:56:48 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2015-3243 rsyslog: some log files are created world-readable

So /var/log/cron is world readable in RHEL7 which means the complete
command line is logged (so --password=, hostnames, etc.).

In line with this I have made the following proposed change for Fedora
(and by extensions Red Hat products):

https://fedoraproject.org/wiki/Kurtseifried/secure_config_and_log_permissions

Have secure by default permissions for configuration and log files

Proposed change

All configuration files (e.g. files in /etc/) and all log files (e.g.
files in /var/log/) must not be set world-readable unless there is a
functional reason to do so. By default, configuration files should be
chmod 600 or 0640 and log files should be chmod 0600. This is due to a
continuing number of security issues with world readable files that
contain sensitive information (e.g. passwords and access tokens or
logged usernames and commands for example).

Rationale

The number of security issues created by lax permissions on
configuration and log files has resulted in a number of security issues
exploitable by local users. E.g.:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=configuration+file+permissions

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=log+file+permissions

Please note that the above lists are by no means a complete listing of
the security flaws that have resulted from lax permissions.

I would invite other distros/etc to also do this.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com


Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.