I''m curious if there is some reason why the rails command creates the log files as world-writable. This doesn''t seem very security conscious. I know I can have capistrano or puppet change the file mode on those, but that''s an extra step... and one that most people probably don''t do. So, what say ye? Was this intentional? thanks, Ben --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
On Wed, Sep 12, 2007 at 01:16:31PM -1000, Ben Munat wrote:> I''m curious if there is some reason why the rails command creates the log files > as world-writable. This doesn''t seem very security conscious. > > I know I can have capistrano or puppet change the file mode on those, but that''s > an extra step... and one that most people probably don''t do. > > So, what say ye? Was this intentional?Considering that various other parts of Rails recommend 0666 perms on log files, I''d say it was definitely deliberate. Ill-advised, definitely, but deliberate. - Matt -- "You could wire up a dead rat to a DIMM socket and the PC BIOS memory test would pass it just fine." -- Ethan Benson --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
Matt Palmer wrote:> On Wed, Sep 12, 2007 at 01:16:31PM -1000, Ben Munat wrote: >> I''m curious if there is some reason why the rails command creates the log files >> as world-writable. This doesn''t seem very security conscious. >> >> I know I can have capistrano or puppet change the file mode on those, but that''s >> an extra step... and one that most people probably don''t do. >> >> So, what say ye? Was this intentional? > > Considering that various other parts of Rails recommend 0666 perms on log > files, I''d say it was definitely deliberate. Ill-advised, definitely, but > deliberate.Hmm, but why would rails ever recommend something that is ill-advised? :-D Ben --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
On 9/12/07, Ben Munat <bmunat@gmail.com> wrote:> > > Considering that various other parts of Rails recommend 0666 perms on > log > > files, I''d say it was definitely deliberate. Ill-advised, definitely, > but > > deliberate. > > Hmm, but why would rails ever recommend something that is ill-advised? :-D >My guess would be to support FCGI processes that are running the same use as Apache which would usually be a different user and group from the user uploading and deploying the application files. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
On Wed, Sep 12, 2007 at 10:21:21PM -0600, Gabe da Silveira wrote:> On 9/12/07, Ben Munat <bmunat@gmail.com> wrote: > > > > > Considering that various other parts of Rails recommend 0666 perms on > > log > > > files, I''d say it was definitely deliberate. Ill-advised, definitely, > > but > > > deliberate. > > > > Hmm, but why would rails ever recommend something that is ill-advised? :-D > > My guess would be to support FCGI processes that are running the same use as > Apache which would usually be a different user and group from the user > uploading and deploying the application files.Solved on all my servers with: chgrp -R www-data log tmp chmod -R g+w log tmp - Matt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
Matt Palmer wrote:>>>> Considering that various other parts of Rails recommend 0666 perms on >>> log >>>> files, I''d say it was definitely deliberate. Ill-advised, definitely, >>> but deliberate. >>> Hmm, but why would rails ever recommend something that is ill-advised? :-D >> My guess would be to support FCGI processes that are running the same use as >> Apache which would usually be a different user and group from the user >> uploading and deploying the application files. > > Solved on all my servers with: > > chgrp -R www-data log tmp > chmod -R g+w log tmp > > - MattActually, after digging into this a bit more, it''s not really Rails'' fault. The rails command does create a production.log, but most people don''t actually check that in to their repository or deploy it. Rather, the Ruby Logger class creates the file on the fly when the app is started. This is creating the file as 0666. I would still like to figure out some way to configure Logger to do 0660 rather than have to rely on chmod-ing after the fact. But, that''s clearly something I should take up with the Ruby folks. thanks for you answers... Ben --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
On 13-sep-2007, at 1:16, Ben Munat wrote:> I''m curious if there is some reason why the rails command creates > the log files > as world-writable. This doesn''t seem very security conscious.Your issue is solved, but nevertheless I would like to chime in. AFAIK Rails consciously avoids being paranoid about most of the permissions (also having a user in the db that can modify tables). In the long run being too paranoid causes more grief than convenience. If you need stuff to be locked tight modify your deployment scripts accordingly :-) Or you can indeed make your own Logger (which seems the easiest to me). -- Julian ''Julik'' Tarkhanov please send all personal mail to me at julik.nl --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---