[Secure-testing-team] Bug#603048: rails: Gives dangerous advice regarding log permissions

Gunnar Wolf gwolf at gwolf.org
Wed Nov 10 16:49:05 UTC 2010 

Package: rails
Version: 2.3.5-1.1
Severity: serious
Tags: security patch
Justification: 4

When spawning a process on a Rails by any user that is not the logfile
owner, the following IMHO dangerous advice is given:

    Rails Error: Unable to access log file. Please ensure that
    /home/webapps/servicio.iiec/log/production.log exists and is chmod
    0666. The log level has been raised to WARN and the output
    directed to STDERR until the problem is fixed.

Asking the administrator to make the log files mode 0666 would make
them vulnerable to modification or erasure by any system user. Even
given that many of Rails' users are not Unix-savvy, this should
clearly be rephrased.

This message is generated by the initialize_logger function of
Rails::Initializer, in
/usr/share/rails-ruby1.8/railties/lib/initializer.rb

I suggest the following wording:

--- /usr/share/rails-ruby1.8/railties/lib/initializer.rb	2010-08-26 12:48:36.000000000 -0500
+++ /tmp/initializer.rb	2010-11-10 10:47:53.000000000 -0600
@@ -492,7 +492,7 @@
           logger = ActiveSupport::BufferedLogger.new(STDERR)
           logger.level = ActiveSupport::BufferedLogger::WARN
           logger.warn(
-            "Rails Error: Unable to access log file. Please ensure that #{configuration.log_path} exists and is chmod 0666. " +
+            "Rails Error: Unable to access log file. Please ensure that #{configuration.log_path} exists and is write-accessible to UID #{Process.euid}, GID #{Process.egid}. " +
             "The log level has been raised to WARN and the output directed to STDERR until the problem is fixed."
           )
         end


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages rails depends on:
ii  rails-ruby1.8                 2.3.5-1.1  MVC ruby based framework geared fo

rails recommends no packages.

rails suggests no packages.

-- debconf-show failed

More information about the Secure-testing-team mailing list