logrotate - rotate to a information leak?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, i noticed a "small" problem with logrotate (at least on SLES9): we've very restrictive rights for all our logfiles cause many of them contain sensitive informations. So we use 'create 0600 user group' to protect our logs. Now the problem: a rotated logfile (gzipped) has 644 and root.root permissions instead of the 'secure' ones. So we've a small security problem here. One way to fix this would be a postrotate script to fix the permissions, but is this really the way? I think if i use special permissions for my logs, they should applyed to the archives, too. Did i miss something in the manpage(s) or is this the normal behavior? (didn't yet take a look into the source due to lack of time...) Regards and thanks, Sven -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFCyWHHQoCguWUBzBwRAgOxAKCZxi344+yIdZLLfWAGq+fNj2OrnwCffgRU dBB49esW+Mg7CrScD6brCYA= =05Ow -----END PGP SIGNATURE-----
On Mon, Jul 04, 2005 at 06:20:24PM +0200, Sven 'Darkman' Michels wrote:
Hi there,
i noticed a "small" problem with logrotate (at least on SLES9): we've very restrictive rights for all our logfiles cause many of them contain sensitive informations. So we use 'create 0600 user group' to protect our logs. Now the problem: a rotated logfile (gzipped) has 644 and root.root permissions instead of the 'secure' ones. So we've a small security problem here. One way to fix this would be a postrotate script to fix the permissions, but is this really the way? I think if i use special permissions for my logs, they should applyed to the archives, too.
Did i miss something in the manpage(s) or is this the normal behavior? (didn't yet take a look into the source due to lack of time...)
A fix for this will be released with SLES 9 Service Pack 2 ... release very likely within the next week. Ciao, Marcus
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcus Meissner schrieb:
On Mon, Jul 04, 2005 at 06:20:24PM +0200, Sven 'Darkman' Michels wrote:
Hi there,
i noticed a "small" problem with logrotate (at least on SLES9): we've very restrictive rights for all our logfiles cause many of them contain sensitive informations. So we use 'create 0600 user group' to protect our logs. Now the problem: a rotated logfile (gzipped) has 644 and root.root permissions instead of the 'secure' ones. So we've a small security problem here. One way to fix this would be a postrotate script to fix the permissions, but is this really the way? I think if i use special permissions for my logs, they should applyed to the archives, too.
Did i miss something in the manpage(s) or is this the normal behavior? (didn't yet take a look into the source due to lack of time...)
A fix for this will be released with SLES 9 Service Pack 2 ... release very likely within the next week.
Ciao, Marcus
Isn't there a way over /etc/permissions.*? Other way is to do the following _without_ prerotate or postrotate: /etc/logrotate.d/xyz-service /var/log/xyz-log { [...] create 0600 user group rotate 1 [...] } Somehow this behaviour (chmod 0600 for logfiles) is default within debian 3.x ;) Reguards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQsqxbUNg1DRVIGjBAQIruAb/Su3Ha+Ls3CWl4T+t1n8GTH9kl3483tlU 6oM7sLg1iROKyX6nqKsgGspXXxNS2l8LZ1pALEYZ3rV6KvmEyRlfvO8gJVxOHojm 32HZZBg39q+Y0s5kLlaDeeK8skSRGskacAr2zX3Sb1UmP4OBuX1VjiMXh9fbg6Xt eL7U43gKF0uD+wJEaiQIT/YdZEGivsJsvtO9ag0QtWOBv+oZ6BHkx5mxmUFq0CJF dNxai82Z/Few3B6vPgQUse0G1AWKeaDZB5itMtrkyVlU3NZLmCT7Dz5IAoMH/t0S uqLbXt+81GI= =rGCM -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Philippe Vogel wrote: | Isn't there a way over /etc/permissions.*? possible, but we don't want work arounds if its supposed to work otherwise ;) | Other way is to do the following _without_ prerotate or postrotate: | | /etc/logrotate.d/xyz-service | | /var/log/xyz-log { | [...] | create 0600 user group | rotate 1 | [...] | } | | Somehow this behaviour (chmod 0600 for logfiles) is default within | debian 3.x ;) this is not the problem, the problem is a simple bug in the suse(?) package of logrotate, create is only applied to the new opened logfile, not to the archives. Regards, Sven PS: thanks Marcus and Kevin Ivory for your informations! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFCyrNoQoCguWUBzBwRAgo3AKCRgPECF5x40rGXpqf2JH6NqnilKgCfU97T T57m3q5hW7gCmgZ7I0FI2e0= =ttmq -----END PGP SIGNATURE-----
participants (3)
-
Marcus Meissner
-
Philippe Vogel
-
Sven 'Darkman' Michels