File permissions danger

Post Reply
eldergeek
Junior Member
Posts: 26
Joined: 18 Mar 2010, 07:25

File permissions danger

Post by eldergeek »

cxsWatch, in particular /etc/cxs/cxswatch.sh ignores the --logfile parameter so I can't put this logfile anywhere safe.

The result is that it always logs into /var/log/cxswatch.log

If the file is deleted, and the service restarted, it creates the file chmod 644. As /var/log/ is readable by all, isn't this a security issue? As a standard user of a centos machine running cpanel, I can view this file and see entries pertaining to other users file activities, which makes for easy pickings for anyone trying to mount a symlink attack.

ForumAdmin
Moderator
Posts: 1460
Joined: 01 Oct 2008, 09:24

Re: File permissions danger

Post by ForumAdmin »

Thank you for the suggestion, we'll include something in the next release. In the meantime you can chmod the log file and add the following to the /etc/logrotate.d/cxswatch configuration file:

Code: Select all

create 0600 root root

ForumAdmin
Moderator
Posts: 1460
Joined: 01 Oct 2008, 09:24

Re: File permissions danger

Post by ForumAdmin »

This has now been implemented in v3.25:
http://blog.configserver.com/?p=2078

Post Reply