Closed stephenl03 closed 4 years ago
Hi @stephenl03 thanks for taking the time reporting this.
Do you know how recap
was installed in that example you provided?
drwxr-xr-x 4 root root 36864 Oct 30 11:10 ./
Anything that does rely in the use of Makefile
(this includes rpm
, deb
packages, the ansible
playbook in this repo and even on its own) should set the permissions for the LOGDIR
(/var/log/recap
in this case) to 0750
:
https://github.com/rackerlabs/recap/blob/c1a83c868215e4d888203d74ee5daac9a801b8d0/Makefile#L87
That permission has been set since 0.9.12
https://github.com/rackerlabs/recap/blob/ce3992bd8e5effacf479d03763d0167cc45501b3/Makefile#L24
Installed via apt, apt-get -y install recap
. It looks like the Rackspace mirror's latest is 1.3.0-1 available.
recap:
Installed: 1.3.0-1
Candidate: 1.3.0-1
Version table:
*** 1.3.0-1 500
500 https://rax.mirror.rackspace.com/ubuntu xenial/main amd64 Packages
500 https://rax.mirror.rackspace.com/ubuntu xenial/main i386 Packages
500 https://rax.mirror.rackspace.com/ubuntu xenial/main all Packages
100 /var/lib/dpkg/status
0.9.14-1 500
500 https://rax.mirror.rackspace.com/ubuntu xenial/main amd64 Packages
500 https://rax.mirror.rackspace.com/ubuntu xenial/main i386 Packages
500 https://rax.mirror.rackspace.com/ubuntu xenial/main all Packages
As the permission issues seem to be fixed in a newer version and the repo the package was installed from is outdated, we can close the issue at this time.
The files generated in
/var/log/recap/
should be640
to follow security best practices. Allowing "other" read access could expose sensitive information for an attacker that has gained lower privilege access.