Agostino Sarubbo reported on the oss-security mailing list [1] that, on Gentoo, /var/log/varnish is world-accessible and the log files inside the directory are world-readable. This could allow an unprivileged user to read the log files. Checking on Fedora and EPEL, /var/log/varnish is provided with 0755 permissions. These should be reduced to 0700 permissions, like /var/log/httpd. [1] http://www.openwall.com/lists/oss-security/2013/02/22/14
Created varnish tracking bugs for this issue Affects: fedora-all [bug 915413] Affects: epel-all [bug 915414]
Quoting from #fedora-security on IRC, 2013-11-14 14:29 < ingvarha> Easy "fix" is just to chmod 700 the log directory in question, like for instance apache httpd does 14:30 < ingvarha> Possible problem is of course if users have log processing tools that uses non-root access to these files 14:30 < ingvarha> Is it OK to just change this in the stable EPEL branches? 14:30 < bress> I wouldn't change this in the stable branch. 14:31 < bress> I'd change it in the next major rev version (f20 or f21, epel7). It's not *that* serious to warrant screwing up a ton of infrastructure. 14:31 < ingvarha> well 14:31 < ingvarha> the ticket is on epel too 14:31 < ingvarha> s/ticket/bug/ 14:33 < bress> Right. It's a good hardening measure, but as you said, people are currently expecting certain permissions. 14:34 < ingvarha> Can I quote you on this in the bug? :-) 14:34 < bress> Certainly. 14:36 < ingvarha> So I should just close this as WONTFIX, then? 14:39 < bress> For the older versions. Do fix it in git for the new stuff I'd say. 14:39 < bress> I mean, we should have better log permissions, it's just the pain of fixing this outweights the pain of fixing it ;) 14:39 < bress> It's a simple code fix, but going to be horrible for admins. (bress is this guy: https://fedoraproject.org/wiki/JoshBressers )
Yeah, we know who Josh is. I'm sort of assuming that this could be fixed for Fedora 20, which would hopefully be a baseline for anything in EPEL7, so it would inherit the fix? This probably could have been fixed in Fedora 19 as well, given the age of this bug...
This has been fixed in varnish-3.0.5-1 in Fedora 18, 19 and 20.
Just a small thing: This change gives a non-standard-dir-perm rpmlint error. As the same goes for httpd, I'll leave it like this. $ rpmlint httpd-2.4.9-1.fc19.x86_64.rpm varnish-3.0.5-1.fc19.x86_64.rpm | grep log httpd.x86_64: E: non-standard-dir-perm /var/log/httpd 0700L varnish.x86_64: E: non-standard-dir-perm /var/log/varnish 0700L Ingvar