s6-log does not obey umask

s6-log does not obey umask

[Vallo Kallaste]

Hi

I am not sure if it is intended behaviour or not.
echo |/command/umask 0027 s6-log /some/dir will create lock and
state files with permissions 0640, but current with 0744. It is the
world-readable bit I am concerned with.
-- 
Vallo

Re: s6-log does not obey umask

[Laurent Bercot]

> I am not sure if it is intended behaviour or not.
> echo |/command/umask 0027 s6-log /some/dir will create lock and
> state files with permissions 0640, but current with 0744. It is the
> world-readable bit I am concerned with.

 It is intentional. When the current file is created, it actually
respects the umask. When s6-log exits, it uses the fchmod() system call,
which doesn't take the umask into account, to chmod the current file to
744, which is a marker that says "processed, safe file".

 There is no security problem : the /some/dir directory will have
restricted, umask-following, rights, so the "current" file will be
unreadable by others anyway.

-- 
 Laurent

Re: s6-log does not obey umask

[Vallo Kallaste]

On Wed, Nov 14, 2012 at 03:29:02AM +0100, Laurent Bercot
<ska-supervision@skarnet.org> wrote:

> > I am not sure if it is intended behaviour or not.
> > echo |/command/umask 0027 s6-log /some/dir will create lock and
> > state files with permissions 0640, but current with 0744. It is the
> > world-readable bit I am concerned with.
> 
>  It is intentional. When the current file is created, it actually
> respects the umask. When s6-log exits, it uses the fchmod() system call,
> which doesn't take the umask into account, to chmod the current file to
> 744, which is a marker that says "processed, safe file".
> 
>  There is no security problem : the /some/dir directory will have
> restricted, umask-following, rights, so the "current" file will be
> unreadable by others anyway.

Ok, so be it. But the notion that /some/dir has always restricted
rights is not true, it depends on circumstances.
I will move other logdirs out of /some/dir, it's easier and cleaner
than resorting to ACL kludgery.
-- 
Vallo

Re: s6-log does not obey umask

[Laurent Bercot]

> Ok, so be it. But the notion that /some/dir has always restricted
> rights is not true, it depends on circumstances.

 Well, if you run "s6-log /some/dir" and /some/dir doesn't
previously exist, it is created with rights 2700 by default, so
everything under it can only be accessed by the user.
 If you create /some/dir world-readable, or you make it world-readable
after s6-log has started, then s6-log won't say anything, but it's your
own choice and you cannot complain about s6-log exposing logs to the
world. ;)


> I will move other logdirs out of /some/dir, it's easier and cleaner
> than resorting to ACL kludgery.

 In your example, /some/dir is a unique logdir. What are you trying to
accomplish ?

-- 
 Laurent

Re: s6-log does not obey umask

[Vallo Kallaste]

On Wed, Nov 14, 2012 at 10:27:21AM +0100, Laurent Bercot
<ska-supervision@skarnet.org> wrote:

> > I will move other logdirs out of /some/dir, it's easier and cleaner
> > than resorting to ACL kludgery.
> 
>  In your example, /some/dir is a unique logdir. What are you trying to
> accomplish ?

I had other logdirs under /some/dir, some services have additional
logging and do not send all logs to stdout. /some/dir/current has
world-readable bit always on. By allowing some UID's to step through
the /some/dir to some other dir under it the UID can read
/some/dir/current. The file name is always "current" so there is
nothing left to guess even if the UID could not list the directory
content.
It is simple case and I moved the other logdirs out of /some/dir.

BR,
-- 
Vallo

Re: s6-log does not obey umask

[Laurent Bercot]

> I had other logdirs under /some/dir

 I should probably add to the documentation that a logdir should be
exclusively reserved for a s6-log instance and that the user should not
try to use it any other way, including making subdirectories in it.

-- 
 Laurent