Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20130222081530.GB27037@gremlin.ru>
Date: Fri, 22 Feb 2013 12:15:30 +0400
From: gremlin@...mlin.ru
To: oss-security@...ts.openwall.com
Subject: Re: nginx world-readable logdir

On 22-Feb-2013 00:29:48 -0700, Kurt Seifried wrote:

 >>> I just noticed my nginx logdir and its content are
 >>> world-readable: What do you think about?
 >> About misconfiguration? Nothing:
 >> % grep create /etc/logrotate.d/nginx
 >> create 640 root wheel
 > What are the initial permissions prior to log rotation?

Of course, exactly the same - 640, root:wheel :-)

I've built my own package (for Openwall GNU/*/Linux, not yet
in mainstream), and there I use explicit log file creation in
the %post section (touch && chown && chmod) without relying
on a umask (although in Owl it's restrictive by default: 077).

So I think that ${subject} is just a misconfiguration.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.