The sanlock server creates the /var/log/sanlock.log world writable allowing
any one on the system to wipe the contents of the log file or to store data
within the log file (bypassing any quotas applied to their account). The
affected code is:
src/log.h
int setup_logging(void)
{
int fd, rv;
snprintf(logfile_path, PATH_MAX, "%s/%s", SANLK_LOG_DIR,
SANLK_LOGFILE_NAME);
logfile_fp = fopen(logfile_path, "a+");
Created attachment 668606[details]
proposed patch
This is just a starting
point, as I was not able to test the patch myself. Also, I used 660 as
permissions to the file, I'm not sure of whether it's sensible or not.
Please review and test before applying.
This issue has been addressed in following products:
Red Hat Storage 2.0
Red Hat Storage 2.0 Console
Native Client for RHEL 5 for Red Hat Storage
Native Client for RHEL 6 for Red Hat Storage
Via RHSA-2013:0691 https://rhn.redhat.com/errata/RHSA-2013-0691.html
The sanlock server creates the /var/log/sanlock.log world writable allowing any one on the system to wipe the contents of the log file or to store data within the log file (bypassing any quotas applied to their account). The affected code is: src/log.h int setup_logging(void) { int fd, rv; snprintf(logfile_path, PATH_MAX, "%s/%s", SANLK_LOG_DIR, SANLK_LOGFILE_NAME); logfile_fp = fopen(logfile_path, "a+");