Hello! On Wed, Nov 10, 2010 at 10:49:05AM -0600, Gunnar Wolf wrote: > Package: rails > Version: 2.3.5-1.1 > Severity: serious > Tags: security patch > Justification: 4 > > When spawning a process on a Rails by any user that is not the logfile > owner, the following IMHO dangerous advice is given: > > Rails Error: Unable to access log file. Please ensure that > /home/webapps/servicio.iiec/log/production.log exists and is chmod > 0666. The log level has been raised to WARN and the output > directed to STDERR until the problem is fixed. > > Asking the administrator to make the log files mode 0666 would make > them vulnerable to modification or erasure by any system user. Even > given that many of Rails' users are not Unix-savvy, this should > clearly be rephrased.
Good catch. That is some failed recommendation. Although this is not really a security bug - it's a documentation bug. Normally the recommendation should be that the logfile is chown to the user of the running rails application (eg. webserver) and still be 0644 or 0640 or even 0600. My inclination would be to only have, > Rails Error: Unable to write to log file > /home/webapps/servicio.iiec/log/production.log. Please ensure that > /home/webapps/servicio.iiec/log/ exists and is > accessible to the rails application. > > The log level has been raised to WARN and the output > directed to STDERR until the problem is fixed. Then it is up to the administrator to know what this means. A recommendation of 0644 permissions could be added here too. Do you happen to have access to git.debian.org? If you do, can you apply your patch? The procedure is basically, git checkout v2.3-stable ... apply patch ... git commit -a git push A longer way would be, git checkout v2.3-stable ... apply patch ... git status # lists all changed files git add <file changed by patch> ... git commit git push v2.3-stable is the branch for Rails 2.3.x. push will move the commit to the server. commit -a commits the changes in all changed files. I'll then try to get this patch included in upstream's repository. - Adam -- Adam Majer ad...@zombino.com -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
