[oe] [meta-oe][PATCH] rsyslog: CVE-2015-3243
ChenQi
Qi.Chen at windriver.com
Mon Aug 21 02:20:46 UTC 2017
On 08/20/2017 10:51 AM, Zhixiong Chi wrote:
> rsyslog uses weak permissions for generating log files, which allows
> local users to obtain sensitive information by reading files in
> /var/log/cron.log
>
> We add "create 0600 root root" to the /etc/logrotate.d/syslog file,
> this will ensure the file is created with permissions when logrotate
> runs. It is also recommended that users manually set the permissions
> on existing or newly installed log files in order to prevent access
> by untrusted users.
> https://bugzilla.redhat.com/show_bug.cgi?id=1232826
>
> CVE: CVE-2015-3243
>
> Signed-off-by: Zhixiong Chi <zhixiong.chi at windriver.com>
> ---
> meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
> index 94ec517..7960815 100644
> --- a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
> +++ b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
> @@ -23,6 +23,9 @@
> /var/log/user.log
> /var/log/lpr.log
> /var/log/cron.log
> +{
> + create 0600 root root
> +}
> /var/log/debug
> /var/log/messages
> {
Hi Zhixiong,
I also did some testing about this issue.
We use '0640' for these log files, owner is root and group is adm. So
they are not world readable.
And I also tried logroate command on target to recreate these log files.
They are created with 0640 file permission. (I checked the conf files,
not sure why 0640 is used by default.) You could double check it if you
like.
(I used 'logroate -f /etc/logroate.conf' command to do the test.)
P.S. Even if we want to do something, we should use 'create 0640 root adm'.
Best Regards,
Chen Qi
More information about the Openembedded-devel
mailing list