postgresql: log directory should have same permissions as logfiles (information disclosure)

Tue, 21 Dec 2004 15:55:22 -0600 

Package: postgresql
Version: 7.4.6-5
Severity: minor
Tags: security, patch

Hi.

[To the QA Team: This seems to be quite common; I've just filed a bug for
the apache package.  Can you have a look at it? Thanks.]

/var/log/postgresql is world-readable, so users can e.g. check whether
certain operation triggered an error.  And given that the error strings
are pretty standardized, they can guess what string has been added to
the logfile, judging by the number of bytes that was appended to the
log.

As this is not very obvious to the system administrator, and as there is
no use of /var/log/postgresql directory being readable and searchable
while the files in it are not, apart from the information disclosure
described above, I think it should be chmod-ed 750, just as the logs in
it are chmod 640.

Thanks.
Jan.


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (700, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.28-jan
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2)

Versions of packages postgresql depends on:
ii  adduser          3.59                    Add and remove users and groups
ii  debconf [debconf 1.4.30.10               Debian configuration management sy
ii  debianutils      2.8.4                   Miscellaneous utilities specific t
ii  libc6            2.3.2.ds1-18            GNU C Library: Shared libraries an
ii  libcomerr2       1.35-6                  The Common Error Description libra
ii  libkrb53         1.3.5-1                 MIT Kerberos runtime libraries
ii  libpam0g         0.76-22                 Pluggable Authentication Modules l
ii  libperl5.8       5.8.4-3                 Shared Perl library
ii  libpq3           7.4.6-5                 PostgreSQL C client library
ii  libreadline4     4.3-11                  GNU readline and history libraries
ii  libssl0.9.7      0.9.7e-2                SSL shared libraries
ii  mailx            1:8.1.2-0.20040524cvs-3 A simple mail user agent
ii  postgresql-clien 7.4.6-5                 front-end programs for PostgreSQL
ii  procps           1:3.2.1-2               The /proc file system utilities
ii  python2.3        2.3.4-13                An interactive high-level object-o
ii  ucf              1.13                    Update Configuration File: preserv
ii  zlib1g           1:1.2.2-3               compression library - runtime

-- debconf information:
  postgresql/enable_lang: true
* postgresql/initdb/location: /var/lib/postgres/data
* postgresql/purge_data_too: false
  postgresql/upgrade/preserve_location: $PGDATA/..
  postgresql/very_old_version_warning: true
* postgresql/settings/day_month_order: European
  postgresql/upgrade/policy: true
  postgresql/upgrade/dump_location: $PGDATA/..
  postgresql/convert-pg_hba.conf: true
* postgresql/settings/locale: en_US

-- 
 )^o-o^|    jabber: [EMAIL PROTECTED]
 | .v  K    e-mail: jjminar FastMail FM
 `  - .'     phone: +44(0)7981 738 696
  \ __/Jan     icq: 345 355 493
 __|o|__Minář  irc: [EMAIL PROTECTED]

Attachment: pgpBhKc97bQ80.pgp
Description: PGP signature

Reply via email to