Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <512A7715.1010200@redhat.com>
Date: Sun, 24 Feb 2013 13:24:53 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: gremlin@...mlin.ru
Subject: Re: nginx CVE-2013-0337 world-readable logs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/24/2013 12:34 AM, gremlin@...mlin.ru wrote:
> On 22-Feb-2013 15:46:15 +0400, I wrote:
> 
>>> Some distros are affected.
> 
>> Alas for them... But the solution is simple.
> 
>>> This is not just misconfiguration.
> 
>> This issue isn't related to the nginx itself. However, I'd agree
>> that nginx could use restrictive mode for its' log files: +++
>> nginx-1.2.7/src/core/ngx_log.c @@ -325,7 +325,7 @@ -
>> NGX_FILE_DEFAULT_ACCESS); +  NGX_FILE_USR_GRP_ACCESS);
> 
> I've contacted the nginx team via their security-alert@ and got the
> "won't fix" answer by Maxim Dounin:
> 
>> We are fine with default permissions used for log files. If in a
>> particular configuration stricter permissions are required, this
>> may be done either by creating appropriate log files with needed
>> permissions, or by restricting access to a directory with log
>> files.
> 
> Although respecting the umask value could be a better solution (and
> I'll try once again to convince the developers in that), the
> developers' opinion is clear: pre-creating the logs is the expected
> method to fix the ${subject}.
> 
> 

I somewhat disagree for the simple fact that web servers MUST log
sensitive information (e.g. GET strings) to be of any use. This goes
back to the discussion regarding programs such as gpg. Personally I
would rather see the log files (ALL log files for ALL programs
actually) created using a default permission that is safe (e.g. 0600
or 0660 if it writes to it with the group permissions), but can be
configured and easily overridden in a config file (e.g. nginx.conf) so
that people that have a legitimate need for world readable log files
can do so easily.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRKncVAAoJEBYNRVNeJnmT1J0QAITraA2TQQ75m+Kje4vzp3b+
db+q3RbrEaY+5VdrtWCq16LNIzpU08Zh6qhoHx15KTrk9QJ996foYDfhiuuDaXT5
vvtDjPv4ddgzuh4iQbz1BVpI/XQ2PBuac9rbvZmExQqxA4Bis5IJGckgoVY299Os
gnEQcoU04+nAntMH3lH/6rAJ7GM00Y05Tca7dXc6Y1aKi9coRcIlqZgMO+Fkzgys
nYTFLoR7BA2O5znWxVBqPHNeXFLZgh0JPPnCfyCtAKiVr8cKuDfX36IKz8wCD66c
Dw6204V3MnkN/xNZUguFnbkbROfzAaCt6JXWRC0Ye2AcsWvHqbagYfXaOQ/5UMNT
2QEB6LvWzfcmIAOguEffCYLYDWoMsQI2M5whK7VAO/nniHN+3frOSkz2SHqpfqSe
fEyre6oVf3i/1IJaWPWKEst7RZVSte8Pgwnef2C7sGjnuINt2FBH9RQLHLDV79E5
7Bbd6KWmC6mZULGZvwZm7jdMpwnPj0gyJiumXPXdFcPfMGw3Sc/8aIB6kEUM4Puf
F7UCPRene3OaI5xtAXXC3RglBBD3kHLSF146Ng2Qvo/zUj3mNj5pa6qouiMJ3Kkb
cqIp59Sbn0zWCkOVWhgsvDMgL/5F0bmw178ttRA17fBzb178ox2VY0NnUmQWBytz
Q4OBraQ+yCIzS3cGO+FA
=EBGC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.