GNU bug report logs - #57363
[PATCH 0/1] Set #o640 permissions for log file of shepherd service in container.

Previous Next

Package: guix-patches;

Reported by: Arun Isaac <arunisaac <at> systemreboot.net>

Date: Tue, 23 Aug 2022 17:32:02 UTC

Severity: normal

Tags: patch

Done: Arun Isaac <arunisaac <at> systemreboot.net>

Bug is archived. No further changes may be made.

Full log

Message #14 received at 57363 <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: Maxime Devos <maximedevos <at> telenet.be>, 57363 <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: Re: [bug#57363] [PATCH 0/1] Set #o640 permissions for log file of
 shepherd service in container.
Date: Tue, 30 Aug 2022 00:45:33 +0530

Hi Maxime,

> There is a small window during which the log file has overly-wide 
> permissions, which IIUC makes the log openable when it shouldn't, which 
> could later be exploited (after the daemon has been running for a while) 
> to extract anything secret written to the log by the service.

True, thanks for catching that!

> Try using (close (open log-file (logior O_CREAT O_APPEND O_CLOEXEC) 
> #o600)) instead, that should make things atomic.

Done. An updated patch follows.

> I do not know if clearing the log file is desired -- if so, remove 
> O_APPEND, if not, keep O_APPEND.

I don't think clearing the log file is desired. Append is good, I
think. Users wouldn't want their log files overwritten everytime their
system is restarted.

Regards,
Arun

This bug report was last modified 2 years and 321 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #57363 [PATCH 0/1] Set #o640 permissions for log file of shepherd service in container.

GNU bug report logs - #57363
[PATCH 0/1] Set #o640 permissions for log file of shepherd service in container.