[Logcheck-devel] Bug#481347: logcheck: Logcheck leaves world-readable dead.letter
Stefanos Harhalakis
v13 at v13.gr
Thu May 15 12:39:19 UTC 2008
Package: logcheck
Version: 1.2.54
Severity: grave
Tags: security
Justification: user security hole
Logcheck can leave a world readable dead.letter that contains parsed
logs.
Steps to reproduce:
* Create a lot of logs that will not be filtered by logcheck. (very
easy). 10MBytes should be enough. You have an hour to do so.
* When logcheck runs it will produce a file of size X MBytes to be
mailed to root
* Most MTAs have a limit for the maximum message size. If it is exceeded
and you're using sendmail, the mail will be saved in a file named dead.letter
* For logcheck this is placed in: /var/lib/logcheck/dead.letter
* Go read this file and get some logs that you should not see
Example file:
-rw-r--r-- 1 logcheck logcheck 17001006 2008-05-15 15:02 /var/lib/logcheck/dead.letter
Proposed solution:
Change permissions of /var/lib/logcheck dir to 770
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (990, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages logcheck depends on:
ii adduser 3.102 Add and remove users and groups
ii cron 3.0pl1-100 management of regular background p
ii debconf 1.5.11etch1 Debian configuration management sy
ii grep 2.5.1.ds2-6 GNU grep, egrep and fgrep
ii lockfile-progs 0.1.10 Programs for locking and unlocking
ii logtail 1.2.54 Print log file lines that have not
ii mailx 1:8.1.2-0.20050715cvs-1 A simple mail user agent
ii sendmail-bin [ma 8.13.8-3 powerful, efficient, and scalable
ii sysklogd [system 1.4.1-18 System Logging Daemon
Versions of packages logcheck recommends:
ii logcheck-database 1.2.54 database of system log rules for t
-- no debconf information
More information about the Logcheck-devel
mailing list