control: tags -1 +confirmed
[2019-08-28 14:12] Daniel Kahn Gillmor <d...@fifthhorseman.net> > Package: dh-runit > Version: 2.8.13.2 > Tags: security > Control: affects -1 tor openssh-server > > by default, dh-runit sets up logging runscripts like this: > > ------------ > 1 #!/bin/sh > 2 chown -R runit-log:adm '/var/log/runit/tor' > 3 chmod 750 '/var/log/runit/tor' > 4 chmod u+rw,g+r,o-rwx '/var/log/runit/tor'/* > 5 exec chpst -u runit-log svlogd -tt '/var/log/runit/tor' > ------------ > > Lines 2 and 4 are dangerous due to linking attacks. > [...] Thank you. I wasn't aware of such problems. Then I plan to change script to following: 1 #!/bin/sh 2 chown runit-log:adm '/var/log/runit/tor' 3 chmod 750 '/var/log/runit/tor' 4 umask 0022 5 exec chpst -u runit-log svlogd -tt '/var/log/runit/tor' The idea is that since /var/log/runit/tor is 750, log files actually can only be read by group=adm, even though their permission is 644. Is it okay? Or it opens door for some other tricks, that would allow log reading by non :adm users? Or some other problems? -- Note, that I send and fetch email in batch, once in a few days. Please, mention in body of your reply when you add or remove recepients.
