490561 – ntop: access.log created world-writable

Bug 490561 - ntop: access.log created world-writable

Summary: ntop: access.log created world-writable

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:	impact=low,source=vendorsec,reported=...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-03-17 00:04 UTC by Vincent Danen
Modified:	2019-06-08 12:43 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-03-22 17:34:12 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Vincent Danen 2009-03-17 00:04:27 UTC

It was reported to Ubuntu that ntop creates the access log world-writable when the --access-log-file option is used.

This option is not used in Fedora or Red Hat by default and is not noted in the configuration file.  It is, however, noted in the ntop manpage.  It would require the root user to add this option to the configuration in order for this file to be created.

This is a low severity issue.

A possible fix would be the following patch:

--- http.c.org  2009-03-16 16:28:10.000000000 -0700
+++ http.c  2009-03-16 16:27:55.000000000 -0700
@@ -1298,6 +1298,7 @@ void printHTMLtrailer(void) {
 void initAccessLog(void) {
 
   if(myGlobals.runningPref.accessLogFile) {
+    umask(0137);
     myGlobals.accessLogFd = fopen(myGlobals.runningPref.accessLogFile, "a");
     if(myGlobals.accessLogFd == NULL) {
       traceEvent(CONST_TRACE_ERROR, "Unable to create file %s. Access log is disabled.",

Comment 1 Vincent Danen 2009-03-17 00:07:11 UTC

Forgot to note the Ubuntu bug report: https://bugs.launchpad.net/ubuntu/+source/ntop/+bug/325393

Comment 2 Fedora Update System 2009-03-17 09:11:55 UTC

ntop-3.3.8-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/ntop-3.3.8-3.fc10

Comment 3 Rakesh Pandit 2009-03-17 09:16:31 UTC

Fixed in rawhide and submitted an update to bodhi. Will take some time to reach updates.

Comment 4 Tomas Hoger 2009-03-17 09:52:56 UTC

Please do not close 'Security Response' bugs that may affect other products as well.  Thank you!

Comment 5 Rakesh Pandit 2009-04-13 14:32:18 UTC

This has been pushed into stable. Why not close it now ?? Which other products it effects ?? I am confused.

Comment 6 Fedora Update System 2009-04-13 19:46:06 UTC

ntop-3.3.8-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Vincent Danen 2009-04-14 16:13:02 UTC

Hi, Rakesh.  Fedora is not the only product shipping this (EPEL5 and HPC also ship it).

Comment 8 Tomas Hoger 2009-04-21 08:08:34 UTC

Upstream bug:
  http://www.ntop.org/trac/ticket/75

Upstream commit:
  http://www.ntop.org/trac/changeset/3748/trunk

Note You need to log in before you can comment on or make changes to this bug.