Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 458726 (CVE-2013-0337)

Summary: <www-servers/nginx-1.4.1-r2: world-readable logdir (CVE-2013-0337)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: dev-zero
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2013/02/21/15
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 473036    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2013-02-22 12:31:25 UTC 
As reported by me in oss-security, the nginx logdir and its content are world readable:

drwxr-xr-x  2 root root  4096 Jan 10 00:11 .
drwxr-xr-x 16 root root  4096 Feb 21 17:46 ..
-rw-r--r--  1 root root 69415 Feb 21 17:46 error_log
-rw-r--r--  1 root root 93017 Feb 18 22:03 localhost.access_log
-rw-r--r--  1 root root 86227 Feb 18 22:03 localhost.error_log
Comment 1 Benedikt Böhm (RETIRED) gentoo-dev 2013-02-24 12:20:41 UTC 
i agree with Maxim Dounin from the nginx team [1]:

> We are fine with default permissions used for log files.
> If in a particular configuration stricter permissions are
> required, this may be done either by creating appropriate
> log files with needed permissions, or by restricting access
> to a directory with log files.

so i won't fix it with a custom patch either.


[1] http://www.openwall.com/lists/oss-security/2013/02/24/1
Comment 2 Tiziano Müller (RETIRED) gentoo-dev 2013-05-08 06:35:08 UTC 
The problem here are not the permissions on the log files but that nginx resets the permissions on it's log directory which it really shouldn't.
Even if we are going to restrict /var/log/nginx by default to 0750 nginx resets it to 0755 after a start.
Comment 3 Tiziano Müller (RETIRED) gentoo-dev 2013-05-08 06:37:26 UTC 
*argh* cancel that, had an old init.d-script.
With a current nginx, we explicitly set the log directory to 0750 which I'd say is sufficient for this.
Comment 4 Benedikt Böhm (RETIRED) gentoo-dev 2013-05-08 07:04:38 UTC 
actually, since #446734 we don't touch the logdir at all if it exists. otherwise it will be created with 0755 (not 0750!)
Comment 5 Tiziano Müller (RETIRED) gentoo-dev 2013-05-08 08:48:58 UTC 
(In reply to comment #4)
> actually, since #446734 we don't touch the logdir at all if it exists.
> otherwise it will be created with 0755 (not 0750!)

Why don't we default to 0750?
And why do we still overwrite /var/tmp/nginx? And why with 0755 instead of 0750?
Comment 6 Benedikt Böhm (RETIRED) gentoo-dev 2013-05-08 10:10:20 UTC 
i don't know and honestly i don't care ... if you feel like changing it, please do so
Comment 7 Agostino Sarubbo gentoo-dev 2013-05-08 18:03:00 UTC 
I'd like to wait a bit and stabilize
Comment 8 Agostino Sarubbo gentoo-dev 2013-05-13 20:19:27 UTC 
security please vote
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-30 22:54:14 UTC 
Added to existing GLSA request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-10-06 22:11:54 UTC 
This issue was resolved and addressed in
 GLSA 201310-04 at http://security.gentoo.org/glsa/glsa-201310-04.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 22:07:50 UTC 
CVE-2013-0337 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0337):
  The default configuration of nginx, possibly 1.3.13 and earlier, uses
  world-readable permissions for the (1) access.log and (2) error.log files,
  which allows local users to obtain sensitive information by reading the
  files.