https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi everyone I seem to have stumbled on an unexpect...
# general
k
Hi everyone I seem to have stumbled on an unexpected file access control issue of the rotated 
osqueryd.results.log.X.zst
files. I see that the currently active 
osqueryd.results.log
file is correctly access controlled to 
rw-r-----
but I see that its respective 
.zst
archives are given a 
rw-r--r--
permission. This allows any user on the system to unarchive the log archive and read the content of the results output. Could anyone else replicate this issue? Shouldn't the 
.zst
archive have the same access control flags as its log file? If not the attacker can just wait until the 
results.log
gets rotated into an archive and read its content.
s
Hello @KK, I can see the issue in code; the mode for the file is kept on default values, which is actually 
0666
but 
umask
downgrades it to 
0644
, so that results in the permissions you see. Also the status logs are 
0644
.
k
Thank you for confirming. Can I propose that at least the archives are stored with 640? I'll be happy to raise an issue if needed. Please let me know.
s
I would open an issue. Also slightly tangent but default being 
0666
in the core, when creating files, seems a but dangerous, umask or not. EDITED: Forgot about log collectors, and then /var/log/osquery already not being open for 
everyone
The issue might give time for other to chime in
k
Thank you. Raised https://github.com/osquery/osquery/issues/8103. Looking forward to the outcome of the discussion.
And just to add, /var/log/osquery is open to everyone, at least for my fresh install (directory permission 755).
s
yeah, I misread it earlier, was going to mention it on the issue too. That should also be changed to 
0750
👍 1
Open in Slack
PreviousNext
Powered by