Bug 154126 - Insecure world-readable log file creation in /tmp when debug=1
Insecure world-readable log file creation in /tmp when debug=1
Status: CLOSED CANTFIX
Product: Fedora Legacy
Classification: Retired
Component: postgresql-odbc (Show other bugs)
fc3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tom Lane
David Lawrence
: Security
: 154128 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-07 13:20 EDT by Robin Green
Modified: 2013-07-02 23:05 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-08 16:27:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robin Green 2005-04-07 13:20:03 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050328 Firefox/1.0.2 Fedora/1.0.2-3

Description of problem:
unixODBC, at least with the postgresql driver (I haven't tried other drivers), creates insecure log files in /tmp when the debug=1 option is set in odbc.ini.

Problems:
1. They contain passwords
2. They are world-readable(!)
3. Their filenames are predictable (mkstemp not used, apparently).

Version-Release number of selected component (if applicable):
unixODBC-2.2.9-1

How reproducible:
Always

Steps to Reproduce:
1. Install a program that uses ODBC.
2. Put debug=1 in /etc/odbc.ini
3. Restart the program that uses ODBC (in my case, "service ldap restart").

Actual Results:  A log file appears in /tmp, like this:

-rw-r--r--  1 ldap    ldap    197307 Apr  7 17:46 mylog_ldap14229.log

It contains the database password in the first few lines. 14229 is the pid of one of the ldap server processes (slapd), and this is not just a coincidence - log filenames are always generated from the pid.

Expected Results:  Either it should refuse to create a log file unless an explicit filename is given, or else I think it should use mkstemp (but still keep the pid in the filename for identification purposes) and set the permissions to -rw-------.

Additional info:

Not sure if this bug is in unixODBC or postgresql.

postgresql-7.4.7-3.FC3.1
Comment 1 Robin Green 2005-04-07 13:23:40 EDT
*** Bug 154128 has been marked as a duplicate of this bug. ***
Comment 2 Tom Lane 2005-04-07 22:50:11 EDT
Actually I'd blame it on postgresql-odbc.  There is a very old version of the PG ODBC driver in the 
unixODBC package, from which we can see that the problem is of long standing ... but I'm not going to 
fix that, rather remove it.  If anything is to be done about this it'll be in postgresql-odbc.

I'll take the question up with the upstream postgresql-odbc maintainers.  Since it's acted like this for so 
long, it seems possible that the behavior is intentional, though I agree that sticking a password into 
such a file doesn't sound like a hot idea.
Comment 3 Matthew Miller 2006-07-10 18:41:14 EDT
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 4 Robin Green 2006-07-11 06:22:40 EDT
This is a security bug so reassigning to Fedora Legacy as directed.
Comment 5 Robin Green 2006-07-11 06:25:57 EDT
For some reason this stayed in NEEDINFO state - trying again.
Comment 6 Jesse Keating 2006-08-13 09:49:20 EDT
Tom, have you heard anything from upstream on this issue?
Comment 7 Piotr Drąg 2008-11-08 16:27:37 EST
Closing Fedora Legacy bugs.

Note You need to log in before you can comment on or make changes to this bug.