|Summary:||<www-servers/nginx-1.4.1-r2: world-readable logdir (CVE-2013-0337)|
|Product:||Gentoo Security||Reporter:||Agostino Sarubbo <ago>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||473036|
Description Agostino Sarubbo 2013-02-22 12:31:25 UTC
Comment 1 Benedikt Böhm (RETIRED) 2013-02-24 12:20:41 UTC
i agree with Maxim Dounin from the nginx team : > We are fine with default permissions used for log files. > If in a particular configuration stricter permissions are > required, this may be done either by creating appropriate > log files with needed permissions, or by restricting access > to a directory with log files. so i won't fix it with a custom patch either.  http://www.openwall.com/lists/oss-security/2013/02/24/1
Comment 2 Tiziano Müller (RETIRED) 2013-05-08 06:35:08 UTC
The problem here are not the permissions on the log files but that nginx resets the permissions on it's log directory which it really shouldn't. Even if we are going to restrict /var/log/nginx by default to 0750 nginx resets it to 0755 after a start.
Comment 3 Tiziano Müller (RETIRED) 2013-05-08 06:37:26 UTC
*argh* cancel that, had an old init.d-script. With a current nginx, we explicitly set the log directory to 0750 which I'd say is sufficient for this.
Comment 4 Benedikt Böhm (RETIRED) 2013-05-08 07:04:38 UTC
actually, since #446734 we don't touch the logdir at all if it exists. otherwise it will be created with 0755 (not 0750!)
Comment 5 Tiziano Müller (RETIRED) 2013-05-08 08:48:58 UTC
(In reply to comment #4) > actually, since #446734 we don't touch the logdir at all if it exists. > otherwise it will be created with 0755 (not 0750!) Why don't we default to 0750? And why do we still overwrite /var/tmp/nginx? And why with 0755 instead of 0750?
Comment 6 Benedikt Böhm (RETIRED) 2013-05-08 10:10:20 UTC
i don't know and honestly i don't care ... if you feel like changing it, please do so
Comment 7 Agostino Sarubbo 2013-05-08 18:03:00 UTC
I'd like to wait a bit and stabilize
Comment 8 Agostino Sarubbo 2013-05-13 20:19:27 UTC
security please vote
Comment 9 Sean Amoss (RETIRED) 2013-09-30 22:54:14 UTC
Added to existing GLSA request.
Comment 10 GLSAMaker/CVETool Bot 2013-10-06 22:11:54 UTC
This issue was resolved and addressed in GLSA 201310-04 at http://security.gentoo.org/glsa/glsa-201310-04.xml by GLSA coordinator Sean Amoss (ackle).
Comment 11 GLSAMaker/CVETool Bot 2013-11-27 22:07:50 UTC
CVE-2013-0337 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0337): The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.