[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#57363] [PATCH 0/1] Set #o640 permissions for log file of shepherd s
From: |
Arun Isaac |
Subject: |
[bug#57363] [PATCH 0/1] Set #o640 permissions for log file of shepherd service in container. |
Date: |
Tue, 30 Aug 2022 00:45:33 +0530 |
Hi Maxime,
> There is a small window during which the log file has overly-wide
> permissions, which IIUC makes the log openable when it shouldn't, which
> could later be exploited (after the daemon has been running for a while)
> to extract anything secret written to the log by the service.
True, thanks for catching that!
> Try using (close (open log-file (logior O_CREAT O_APPEND O_CLOEXEC)
> #o600)) instead, that should make things atomic.
Done. An updated patch follows.
> I do not know if clearing the log file is desired -- if so, remove
> O_APPEND, if not, keep O_APPEND.
I don't think clearing the log file is desired. Append is good, I
think. Users wouldn't want their log files overwritten everytime their
system is restarted.
Regards,
Arun