Gunnar Wolf
2010-Nov-10 16:49 UTC
[Secure-testing-team] Bug#603048: rails: Gives dangerous advice regarding log permissions
Package: rails
Version: 2.3.5-1.1
Severity: serious
Tags: security patch
Justification: 4
When spawning a process on a Rails by any user that is not the logfile
owner, the following IMHO dangerous advice is given:
Rails Error: Unable to access log file. Please ensure that
/home/webapps/servicio.iiec/log/production.log exists and is chmod
0666. The log level has been raised to WARN and the output
directed to STDERR until the problem is fixed.
Asking the administrator to make the log files mode 0666 would make
them vulnerable to modification or erasure by any system user. Even
given that many of Rails'' users are not Unix-savvy, this should
clearly be rephrased.
This message is generated by the initialize_logger function of
Rails::Initializer, in
/usr/share/rails-ruby1.8/railties/lib/initializer.rb
I suggest the following wording:
--- /usr/share/rails-ruby1.8/railties/lib/initializer.rb 2010-08-26
12:48:36.000000000 -0500
+++ /tmp/initializer.rb 2010-11-10 10:47:53.000000000 -0600
@@ -492,7 +492,7 @@
logger = ActiveSupport::BufferedLogger.new(STDERR)
logger.level = ActiveSupport::BufferedLogger::WARN
logger.warn(
- "Rails Error: Unable to access log file. Please ensure that
#{configuration.log_path} exists and is chmod 0666. " +
+ "Rails Error: Unable to access log file. Please ensure that
#{configuration.log_path} exists and is write-accessible to UID #{Process.euid},
GID #{Process.egid}. " +
"The log level has been raised to WARN and the output directed
to STDERR until the problem is fixed."
)
end
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, ''unstable'')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages rails depends on:
ii rails-ruby1.8 2.3.5-1.1 MVC ruby based framework geared fo
rails recommends no packages.
rails suggests no packages.
-- debconf-show failed