search

rackerlabs / recap

A system status reporting tool
GNU General Public License v2.0
92 stars 55 forks source link

Log file permissions #227

Closed stephenl03 closed 4 years ago

stephenl03 commented 4 years ago

The files generated in /var/log/recap/ should be 640 to follow security best practices. Allowing "other" read access could expose sensitive information for an attacker that has gained lower privilege access.

# ll /var/log/recap/                                                                                           
total 8392                                                                                                                                 
drwxr-xr-x  4 root root     36864 Oct 30 11:10 ./                                                                                          
drwxrwxr-x 17 root syslog    4096 Oct 30 10:30 ../                                                                                         
drwxr-xr-x  2 root root      4096 Oct 15 21:06 backups/                                                                                    
-rw-r--r--  1 root root      5924 Oct 30 00:00 netstat_20191030-000001.log      
-rw-r--r--  1 root root      6055 Oct 30 00:10 netstat_20191030-001001.log      
-rw-r--r--  1 root root      6194 Oct 30 00:20 netstat_20191030-002001.log      
-rw-r--r--  1 root root      6055 Oct 30 00:30 netstat_20191030-003001.log      
-rw-r--r--  1 root root      5925 Oct 30 00:40 netstat_20191030-004001.log      
-rw-r--r--  1 root root      6344 Oct 30 00:50 netstat_20191030-005001.log      
-rw-r--r--  1 root root      5925 Oct 30 01:00 netstat_20191030-010001.log
tonyskapunk commented 4 years ago

Hi @stephenl03 thanks for taking the time reporting this.

Do you know how recap was installed in that example you provided?

drwxr-xr-x 4 root root 36864 Oct 30 11:10 ./

Anything that does rely in the use of Makefile (this includes rpm, deb packages, the ansible playbook in this repo and even on its own) should set the permissions for the LOGDIR (/var/log/recap in this case) to 0750:

https://github.com/rackerlabs/recap/blob/c1a83c868215e4d888203d74ee5daac9a801b8d0/Makefile#L87

That permission has been set since 0.9.12

https://github.com/rackerlabs/recap/blob/ce3992bd8e5effacf479d03763d0167cc45501b3/Makefile#L24

156 found that the permissions would be set wrong to the expected if the directory was not already in place, that got fixed in 1.4.0

stephenl03 commented 4 years ago

Installed via apt, apt-get -y install recap. It looks like the Rackspace mirror's latest is 1.3.0-1 available.

recap:
  Installed: 1.3.0-1
  Candidate: 1.3.0-1
  Version table:
 *** 1.3.0-1 500
        500 https://rax.mirror.rackspace.com/ubuntu xenial/main amd64 Packages
        500 https://rax.mirror.rackspace.com/ubuntu xenial/main i386 Packages
        500 https://rax.mirror.rackspace.com/ubuntu xenial/main all Packages
        100 /var/lib/dpkg/status
     0.9.14-1 500
        500 https://rax.mirror.rackspace.com/ubuntu xenial/main amd64 Packages
        500 https://rax.mirror.rackspace.com/ubuntu xenial/main i386 Packages
        500 https://rax.mirror.rackspace.com/ubuntu xenial/main all Packages

As the permission issues seem to be fixed in a newer version and the repo the package was installed from is outdated, we can close the issue at this time.