rsyslog: CVE-2015-3243

rsyslog uses weak permissions for generating log files, which allows local users to obtain sensitive information by reading files in /var/log/cron.log We add "create 0600 root root" to the /etc/logrotate.d/syslog file, this will ensure the file is created with permissions when logrotate runs. It is also recommended that users manually set the permissions on existing or newly installed log files in order to prevent access by untrusted users. https://bugzilla.redhat.com/show_bug.cgi?id=1232826 CVE: CVE-2015-3243 Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: Zhixiong Chi <zhixiong.chi@windriver.com> 2017-08-20 10:51:48 +0800
committer: Martin Jansa <Martin.Jansa@gmail.com> 2017-08-31 15:22:57 +0200
commit: d802d780321f47fb691626286d60f3e7a2f70057 (patch)
tree: 8faae8d29f3d142e71a96a106e873bb3cd1c169b
parent: 24230a7fe13ac91531361b829df0524d6d9cbadc (diff)
download: meta-openembedded-contrib-d802d780321f47fb691626286d60f3e7a2f70057.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
index 94ec517b21..7960815295 100644
--- a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
+++ b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
@@ -23,6 +23,9 @@
 /var/log/user.log
 /var/log/lpr.log
 /var/log/cron.log
+{
+        create 0600 root root
+}
 /var/log/debug
 /var/log/messages
 {
author	Zhixiong Chi <zhixiong.chi@windriver.com>	2017-08-20 10:51:48 +0800
committer	Martin Jansa <Martin.Jansa@gmail.com>	2017-08-31 15:22:57 +0200
commit	d802d780321f47fb691626286d60f3e7a2f70057 (patch)
tree	8faae8d29f3d142e71a96a106e873bb3cd1c169b
parent	24230a7fe13ac91531361b829df0524d6d9cbadc (diff)
download	meta-openembedded-contrib-d802d780321f47fb691626286d60f3e7a2f70057.tar.gz