Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 458726 (CVE-2013-0337) - <www-servers/nginx-1.4.1-r2: world-readable logdir (CVE-2013-0337)
Summary: <www-servers/nginx-1.4.1-r2: world-readable logdir (CVE-2013-0337)
Status: RESOLVED FIXED
Alias: CVE-2013-0337
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [glsa]
Keywords:
Depends on: 473036
Blocks:
  Show dependency tree
 
Reported: 2013-02-22 12:31 UTC by Agostino Sarubbo
Modified: 2013-11-27 22:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-22 12:31:25 UTC
As reported by me in oss-security, the nginx logdir and its content are world readable:

drwxr-xr-x  2 root root  4096 Jan 10 00:11 .
drwxr-xr-x 16 root root  4096 Feb 21 17:46 ..
-rw-r--r--  1 root root 69415 Feb 21 17:46 error_log
-rw-r--r--  1 root root 93017 Feb 18 22:03 localhost.access_log
-rw-r--r--  1 root root 86227 Feb 18 22:03 localhost.error_log
Comment 1 Benedikt Böhm (RETIRED) gentoo-dev 2013-02-24 12:20:41 UTC
i agree with Maxim Dounin from the nginx team [1]:

> We are fine with default permissions used for log files.
> If in a particular configuration stricter permissions are
> required, this may be done either by creating appropriate
> log files with needed permissions, or by restricting access
> to a directory with log files.

so i won't fix it with a custom patch either.


[1] http://www.openwall.com/lists/oss-security/2013/02/24/1
Comment 2 Tiziano Müller (RETIRED) gentoo-dev 2013-05-08 06:35:08 UTC
The problem here are not the permissions on the log files but that nginx resets the permissions on it's log directory which it really shouldn't.
Even if we are going to restrict /var/log/nginx by default to 0750 nginx resets it to 0755 after a start.
Comment 3 Tiziano Müller (RETIRED) gentoo-dev 2013-05-08 06:37:26 UTC
*argh* cancel that, had an old init.d-script.
With a current nginx, we explicitly set the log directory to 0750 which I'd say is sufficient for this.
Comment 4 Benedikt Böhm (RETIRED) gentoo-dev 2013-05-08 07:04:38 UTC
actually, since #446734 we don't touch the logdir at all if it exists. otherwise it will be created with 0755 (not 0750!)
Comment 5 Tiziano Müller (RETIRED) gentoo-dev 2013-05-08 08:48:58 UTC
(In reply to comment #4)
> actually, since #446734 we don't touch the logdir at all if it exists.
> otherwise it will be created with 0755 (not 0750!)

Why don't we default to 0750?
And why do we still overwrite /var/tmp/nginx? And why with 0755 instead of 0750?
Comment 6 Benedikt Böhm (RETIRED) gentoo-dev 2013-05-08 10:10:20 UTC
i don't know and honestly i don't care ... if you feel like changing it, please do so
Comment 7 Agostino Sarubbo gentoo-dev 2013-05-08 18:03:00 UTC
I'd like to wait a bit and stabilize
Comment 8 Agostino Sarubbo gentoo-dev 2013-05-13 20:19:27 UTC
security please vote
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-30 22:54:14 UTC
Added to existing GLSA request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-10-06 22:11:54 UTC
This issue was resolved and addressed in
 GLSA 201310-04 at http://security.gentoo.org/glsa/glsa-201310-04.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 22:07:50 UTC
CVE-2013-0337 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0337):
  The default configuration of nginx, possibly 1.3.13 and earlier, uses
  world-readable permissions for the (1) access.log and (2) error.log files,
  which allows local users to obtain sensitive information by reading the
  files.