postgresql: log directory should have same permissions as logfiles (information disclosure)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: debian-qa@lists.debian.org
Subject: postgresql: log directory should have same permissions as logfiles (information disclosure)
From: Jan Minar <jjminar@FastMail.FM>
Date: Tue, 21 Dec 2004 21:53:13 +0000
Message-id: <[🔎] 20041221215313.GD26064@kontryhel.haltyr.dyndns.org>

Package: postgresql
Version: 7.4.6-5
Severity: minor
Tags: security, patch

Hi.

[To the QA Team: This seems to be quite common; I've just filed a bug for
the apache package.  Can you have a look at it? Thanks.]

/var/log/postgresql is world-readable, so users can e.g. check whether
certain operation triggered an error.  And given that the error strings
are pretty standardized, they can guess what string has been added to
the logfile, judging by the number of bytes that was appended to the
log.

As this is not very obvious to the system administrator, and as there is
no use of /var/log/postgresql directory being readable and searchable
while the files in it are not, apart from the information disclosure
described above, I think it should be chmod-ed 750, just as the logs in
it are chmod 640.

Thanks.
Jan.


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (700, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.28-jan
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2)

Versions of packages postgresql depends on:
ii  adduser          3.59                    Add and remove users and groups
ii  debconf [debconf 1.4.30.10               Debian configuration management sy
ii  debianutils      2.8.4                   Miscellaneous utilities specific t
ii  libc6            2.3.2.ds1-18            GNU C Library: Shared libraries an
ii  libcomerr2       1.35-6                  The Common Error Description libra
ii  libkrb53         1.3.5-1                 MIT Kerberos runtime libraries
ii  libpam0g         0.76-22                 Pluggable Authentication Modules l
ii  libperl5.8       5.8.4-3                 Shared Perl library
ii  libpq3           7.4.6-5                 PostgreSQL C client library
ii  libreadline4     4.3-11                  GNU readline and history libraries
ii  libssl0.9.7      0.9.7e-2                SSL shared libraries
ii  mailx            1:8.1.2-0.20040524cvs-3 A simple mail user agent
ii  postgresql-clien 7.4.6-5                 front-end programs for PostgreSQL
ii  procps           1:3.2.1-2               The /proc file system utilities
ii  python2.3        2.3.4-13                An interactive high-level object-o
ii  ucf              1.13                    Update Configuration File: preserv
ii  zlib1g           1:1.2.2-3               compression library - runtime

-- debconf information:
  postgresql/enable_lang: true
* postgresql/initdb/location: /var/lib/postgres/data
* postgresql/purge_data_too: false
  postgresql/upgrade/preserve_location: $PGDATA/..
  postgresql/very_old_version_warning: true
* postgresql/settings/day_month_order: European
  postgresql/upgrade/policy: true
  postgresql/upgrade/dump_location: $PGDATA/..
  postgresql/convert-pg_hba.conf: true
* postgresql/settings/locale: en_US

-- 
 )^o-o^|    jabber: rdancer@NJS.NetLab.Cz
 | .v  K    e-mail: jjminar FastMail FM
 `  - .'     phone: +44(0)7981 738 696
  \ __/Jan     icq: 345 355 493
 __|o|__Minář  irc: rdancer@IRC.FreeNode.Net

Attachment: pgpKYn1tfBkqk.pgp
Description: PGP signature

Reply to:

Prev by Date: Re: Watch column on developer.php outdated
Next by Date: Some packages disappeared from unstable
Previous by thread: Bug#117453: [wnpp cleanup round] Please confirm interest in ITP of Debian package
Next by thread: Some packages disappeared from unstable
Index(es):
- Date
- Thread