Red Hat Bugzilla – Bug 915412
CVE-2013-0345 varnish: world-readable log files
Last modified: 2014-08-06 08:17:10 EDT
Agostino Sarubbo reported on the oss-security mailing list  that, on Gentoo, /var/log/varnish is world-accessible and the log files inside the directory are world-readable. This could allow an unprivileged user to read the log files.
Checking on Fedora and EPEL, /var/log/varnish is provided with 0755 permissions. These should be reduced to 0700 permissions, like /var/log/httpd.
Created varnish tracking bugs for this issue
Affects: fedora-all [bug 915413]
Affects: epel-all [bug 915414]
Quoting from #fedora-security on IRC, 2013-11-14
14:29 < ingvarha> Easy "fix" is just to chmod 700 the log directory in
question, like for instance apache httpd does
14:30 < ingvarha> Possible problem is of course if users have log processing
tools that uses non-root access to these files
14:30 < ingvarha> Is it OK to just change this in the stable EPEL branches?
14:30 < bress> I wouldn't change this in the stable branch.
14:31 < bress> I'd change it in the next major rev version (f20 or f21, epel7).
It's not *that* serious to warrant screwing up a ton of
14:31 < ingvarha> well
14:31 < ingvarha> the ticket is on epel too
14:31 < ingvarha> s/ticket/bug/
14:33 < bress> Right. It's a good hardening measure, but as you said, people
are currently expecting certain permissions.
14:34 < ingvarha> Can I quote you on this in the bug? :-)
14:34 < bress> Certainly.
14:36 < ingvarha> So I should just close this as WONTFIX, then?
14:39 < bress> For the older versions. Do fix it in git for the new stuff I'd
14:39 < bress> I mean, we should have better log permissions, it's just the
pain of fixing this outweights the pain of fixing it ;)
14:39 < bress> It's a simple code fix, but going to be horrible for admins.
(bress is this guy: https://fedoraproject.org/wiki/JoshBressers )
Yeah, we know who Josh is. I'm sort of assuming that this could be fixed for Fedora 20, which would hopefully be a baseline for anything in EPEL7, so it would inherit the fix?
This probably could have been fixed in Fedora 19 as well, given the age of this bug...
This has been fixed in varnish-3.0.5-1 in Fedora 18, 19 and 20.
Just a small thing: This change gives a non-standard-dir-perm rpmlint error. As the same goes for httpd, I'll leave it like this.
$ rpmlint httpd-2.4.9-1.fc19.x86_64.rpm varnish-3.0.5-1.fc19.x86_64.rpm | grep log
httpd.x86_64: E: non-standard-dir-perm /var/log/httpd 0700L
varnish.x86_64: E: non-standard-dir-perm /var/log/varnish 0700L