Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Jan 2017 15:00:36 +0100
From: Carlos Alberto Lopez Perez <clopez@...lia.com>
To: dawid@...alhackers.com
Cc: oss-security@...ts.openwall.com
Subject: Re: Nginx (Debian-based + Gentoo distros) - Root
 Privilege Escalation [CVE-2016-1247 UPDATE]

On 13/01/17 10:35, Dawid Golunski wrote:
> Attackers who have managed to replace the log file with a symlink would
> have to wait for nginx daemon to re-open the log files. 
> For this to happen nginx service needs to be restarted, or the daemon needs
> to receive a USR1 process signal. 
> 
> However, the USR1 is sent automatically on default installations of 
> Debian-based systems through logrotate script which calls do_rotate() 
> function as can be seen in the files quoted below:
> 
> 
> --------[ /etc/logrotate.d/nginx ]--------
> 
> /var/log/nginx/*.log {
> 	daily
> 	missingok
> 	rotate 52
> 	compress
> 	delaycompress
> 	notifempty
> 	create 0640 www-data adm
> 	sharedscripts
> 	prerotate
> 		if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
> 			run-parts /etc/logrotate.d/httpd-prerotate; \
> 		fi \
> 	endscript
> 	postrotate
> 		invoke-rc.d nginx rotate >/dev/null 2>&1
> 	endscript
> }
> 
> ------------------------------------------

This looks to me like an issue on the logrotate side rather than on the nginx one..

If I have:

/var/log/nginx/error.log -> /etc/ld.so.preload

Why does logrotate "create 0640 www-data adm" over /var/log/nginx/error.log
removes and creates /etc/ld.so.preload ??? That is shocking!

It should do that on /var/log/nginx/error.log, by removing that symlink
and creating a new empty standard file on /var/log/nginx/error.log !!

Dont you agree??


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ