#40405 System log files are world readable

Message #13 received at 40405@debbugs.gnu.org (full text, mbox, reply):

Received: (at 40405) by debbugs.gnu.org; 5 Apr 2020 22:12:48 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sun Apr 05 18:12:48 2020
Received: from localhost ([127.0.0.1]:46811 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1jLDVY-0006cN-6J
	for submit@debbugs.gnu.org; Sun, 05 Apr 2020 18:12:48 -0400
Received: from eggs.gnu.org ([209.51.188.92]:44488)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1jLDVW-0006bw-Qy
 for 40405@debbugs.gnu.org; Sun, 05 Apr 2020 18:12:47 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:44781)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
 id 1jLDVR-0004kn-Jn; Sun, 05 Apr 2020 18:12:41 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=39844 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1jLDVR-00008i-4d; Sun, 05 Apr 2020 18:12:41 -0400
From: Ludovic Courtès <ludo@gnu.org>
To: Diego Nicola Barbato <dnbarbato@posteo.de>
Subject: Re: bug#40405: System log files are world readable
References: <87v9mg1zbt.fsf@GlaDOS.home>
Date: Mon, 06 Apr 2020 00:12:39 +0200
In-Reply-To: <87v9mg1zbt.fsf@GlaDOS.home> (Diego Nicola Barbato's message of
 "Fri, 03 Apr 2020 15:19:34 +0200")
Message-ID: <874ktxh99k.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 40405
Cc: 40405@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

[Message part 1 (text/plain, inline)]

Hi,

Diego Nicola Barbato <dnbarbato@posteo.de> skribis:

> On Guix System the log files (in /var/log) generated by syslogd are
> currently (commit 151f3d4) world readable.  They should probably only be
> readable by root (for the same reason that dmesg can only be run by
> root).
>
> It isn't possible to set the umask with fork-exec-constructor, is it?
> Otherwise that might have been a simple solution.

That would be a nice solution to implement in the Shepherd.  If you feel
like giving it a try, that would be great!

In the meantime, the patch below fixes the syslogd problem.  Also
attached is a patch for the accounting database, though that one is
questionable.

Thoughts?

Thanks,
Ludo’.

[Message part 2 (text/x-patch, inline)]

diff --git a/gnu/services.scm b/gnu/services.scm
index 7941cd3af0..d631e8dd32 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -528,15 +528,20 @@ ACTIVATION-SCRIPT-TYPE."
                       (use-modules (gnu build activation)
                                    (guix build utils))
 
+                      (define (ensure-file-exists file)
+                        (let ((port (open-file file "a0")))
+                          (chmod port #o640)
+                          (close-port port)))
+
                       ;; Make sure the user accounting database exists.  If it
                       ;; does not exist, 'setutxent' does not create it and
                       ;; thus there is no accounting at all.
-                      (close-port (open-file "/var/run/utmpx" "a0"))
+                      (ensure-file-exists "/var/run/utmpx")
 
                       ;; Same for 'wtmp', which is populated by mingetty et
                       ;; al.
                       (mkdir-p "/var/log")
-                      (close-port (open-file "/var/log/wtmp" "a0"))
+                      (ensure-file-exists "/var/log/wtmp")
 
                       ;; Set up /run/current-system.  Among other things this
                       ;; sets up locales, which the activation snippets
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 8d9a563e2b..e59b6fea80 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1436,10 +1436,17 @@ Service Switch}, for an example."
       (documentation "Run the syslog daemon (syslogd).")
       (provision '(syslogd))
       (requirement '(user-processes))
-      (start #~(make-forkexec-constructor
-                (list #$(syslog-configuration-syslogd config)
-                      "--rcfile" #$(syslog-configuration-config-file config))
-                #:pid-file "/var/run/syslog.pid"))
+      (start #~(let ((fork (make-forkexec-constructor
+                            (list #$(syslog-configuration-syslogd config)
+                                  "--rcfile"
+                                  #$(syslog-configuration-config-file config))
+                            #:pid-file "/var/run/syslog.pid")))
+                 (lambda ()
+                   ;; Set the umask such that file permissions are #o640.
+                   (let ((mask (umask #o137))
+                         (pid  (fork)))
+                     (umask mask)
+                     pid))))
       (stop #~(make-kill-destructor))))))
 
 ;; Snippet adapted from the GNU inetutils manual.

Send a report that this bug log contains spam.