Summary: | <sys-apps/systemd-233-r1: systemd / journald created world readable journal files | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | systemd |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2016/04/08/14 | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 595476 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2016-04-10 11:47:09 UTC
The summary from the oss-security list is a bit misleading. This issue only affects users that had been running systmed-213 at some point. The tmpfiles fragment in that version would recursively set the world access bits. This was fixed in systemd-214 by not setting permissions recursively in the tmpfiles fragment. Another tmpfiles change in 229 partially addresses the issue of permissions on archived journal files. Given the limited scope and minor severity of this issue, I see no real reason to stabilize 229. If you want to release a GLSA for this, you can tell users to run the following to fix the permissions on existing files. chmod -R o-rwx /var/log/journal/{machineid}/* {machineid} is a UUID that is unique to each system. Based on comment #1 we are waiting that >=sys-apps/systemd-229 goes stable. Bug 595476 is the current bug to handle that. GLSA Vote: No |