It was reported that sosreport creates output files with world-readable permissions:
-rw-r--r--. 1 root root 7331624 May 4 08:55
-rw-r--r--. 1 root root 33 May 4 08:55
The archive may consists of files originally only accessible by the root user. However, after extracting the archive, all of the files are readable by regular users with access to /var/tmp/.
Red Hat would like to thank Grant Murphy for reporting this issue.
Created sos tracking bugs for this issue:
Affects: fedora-all [bug 1218659]
Version & release numbers?
Does not affect F20 or earlier:
# sosreport -v --batch -o general
sosreport (version 3.1)
This command will collect system configuration and diagnostic
information from this Fedora system. An archive containing the collected
information will be generated in /var/tmp.
For more information on the Fedora Project visit:
The generated archive may contain data considered sensitive and its
content should be reviewed by the originating organization before being
passed to any third party.
No changes will be made to system configuration.
Running plugins. Please wait ...
Running 1/1: general...
Creating compressed archive...
Your sosreport has been generated and saved in:
The checksum is: 640904285a51114c0b03f142e533af4c
Please send this file to your support representative.
[root@localhost ~]# ll /var/tmp/sosreport-localhost.localdomain-20150505162121.tar.xz
-rw-------. 1 root root 584392 May 5 16:21 /var/tmp/sosreport-localhost.localdomain-20150505162121.tar.xz
Unfortunately F21 is still using an early build of 3.2 that has a bug in the umask handling for the tar archive:
Author: Bryn M. Reeves <email@example.com>
Date: Thu Oct 30 16:46:01 2014 +0000
[sosreport] fix archive permissions regression
Restore the umask save/restore around archive creation and ensure
the effective umask is 077 at the time of archive creation.
Signed-off-by: Bryn M. Reeves <firstname.lastname@example.org>
I'll update this in F21, 22 and rawhide to a version that includes the above commit.
This flaw is a regression in the default behaviour of sosreport, which was introduced by the following commit:
and was fixed via the following commit:
Not vulnerable. This issue does not affect the version of sos package as shipped with Red Hat Enterprise Linux 5, 6 and 7.