[oe] [meta-oe][PATCH] rsyslog: CVE-2015-3243

Zhixiong Chi zhixiong.chi at windriver.com
Mon Aug 21 03:35:09 UTC 2017 


On 2017年08月21日 10:20, ChenQi wrote:
> On 08/20/2017 10:51 AM, Zhixiong Chi wrote:
>> rsyslog uses weak permissions for generating log files, which allows
>> local users to obtain sensitive information by reading files in
>> /var/log/cron.log
>>
>> We add "create 0600 root root" to the /etc/logrotate.d/syslog file,
>> this will ensure the file is created with permissions when logrotate
>> runs. It is also recommended that users manually set the permissions
>> on existing or newly installed log files in order to prevent access
>> by untrusted users.
>> https://bugzilla.redhat.com/show_bug.cgi?id=1232826
>>
>> CVE: CVE-2015-3243
>>
>> Signed-off-by: Zhixiong Chi <zhixiong.chi at windriver.com>
>> ---
>>   meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git 
>> a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate 
>> b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
>> index 94ec517..7960815 100644
>> --- a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
>> +++ b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
>> @@ -23,6 +23,9 @@
>>   /var/log/user.log
>>   /var/log/lpr.log
>>   /var/log/cron.log
>> +{
>> +        create 0600 root root
>> +}
>>   /var/log/debug
>>   /var/log/messages
>>   {
>
>
> Hi Zhixiong,
>
> I also did some testing about this issue.
>
> We use '0640' for these log files, owner is root and group is adm. So 
> they are not world readable.
>
> And I also tried logroate command on target to recreate these log 
> files. They are created with 0640 file permission. (I checked the conf 
> files, not sure why 0640 is used by default.) You could double check 
> it if you like.
>
> (I used 'logroate -f /etc/logroate.conf' command to do the test.)
>
> P.S. Even if we want to do something, we should use 'create 0640 root 
> adm'.
>
> Best Regards,
>
> Chen Qi
>
Yeah, I agree with you. Thanks for your reminder.
Since we use the default 0640 permission, we don't need this patch any more.

Thanks.

-- 
---------------------
Thanks,
Zhixiong Chi
Tel: +86-10-8477-7036

More information about the Openembedded-devel mailing list