Date: Thu, 21 Feb 2013 23:51:16 +0100 From: Anders Petersson <anders@....se> To: oss-security@...ts.openwall.com Cc: Henri Salo <henri@...v.fi>, Agostino Sarubbo <ago@...too.org>, security-alert@...nx.org Subject: Re: CVE request: nginx world-readable logdir 2013/2/21 Anders Petersson <anders@....se> > However on Debian Squeeze the logs themselves are not world-readable (at > least on my system): > > $ ls -la /var/log/nginx/ > total 452 > drwxr-xr-x 2 root root 4096 Feb 21 06:25 . > drwxr-xr-x 9 root root 4096 Feb 21 06:25 .. > -rw-r----- 1 www-data adm 934 Feb 21 18:40 access.log > -rw-r----- 1 www-data adm 20134 Feb 21 03:46 access.log.1 > Apologies for the noise, Henri is absolutely correct. nginx on Debian Squeeze is affected. My observation is merely an artifact of the logrotation which fixes the permissions in a cron-job (hence if you have the logrotate package installed on Debian Squeeze the logs will have correct permissions as soon as the logs have been rotated once, but left to it's own devices nginx will create the log file world-readable, also the nginx package does not depend on the logrotate package so it may not be installed). # rm /var/log/nginx/access.log # service nginx restart $ ls -l /var/log/nginx/ total 1088 -rw-r--r-- 1 root root 0 Feb 21 23:31 access.log -- Anders Petersson
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.