-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log permissions are hard-coded to 0600 #293
Comments
Thanks @jarppiko for the analysis. Here I may have missed something because I tried to generalize a behavior that we implemented on some, but not all packages. Are you saying this: https://github.com/crowdsecurity/crowdsec/blob/master/pkg/types/utils.go#L43 is not required anymore? If you mean we can set umask in the systemd service, I'm not sure we want to do it for every file that is created. what do you think @buixor |
Hi @mmetc , How
By default,
|
Hello @mmetc, My comments:
The file you referred to relates to
I was more thinking aloud options how to provide configurability of log file permissions to admins. These are the options, IMHO:
Out of these only options 1 and 2 make sense, IMO. |
Thanks, closing as fixed I was confused at first because I was sure I had replicated the issue, but it was before updating the lumberjack dependency |
Summary
crowdsec-firewall-bouncer
does not provide admins options to configure log files access permissions, but log file permissions are hard-coded to0600
.crowdsec-firewall-bouncer
does not respect processumask
either which prevents admins to usesystemd
'sUMask=
option. The underlying lumberjack log roller library actually respects existing log file permissions, butcrowdsec-firewall bouncer
disables this functionality. The current behavior resets the log file permissions to0600
in every restart.While hard-coded
0600
log file permission is secure, it also prevents admins to change the log file permissions if needed. If other tools (e.g.promtail
) requiring access to the log files run in rootless mode (a good security practice), the tools cannot read Crowdsec bouncer log files.Technical details
It seems this "feature" was created as a response to upstream issue natefinch/lumberjack#82, but this issue has been fixed more than 4 years ago.
The code responsible for setting the access rights resides in
LoggerForFile()
in pkg/cfg/logging.go. It callslogtools.fileperms.SetLogFilePermissions()
to hard-reset log file permissions to0600
. OtherwiseSetLogFilePermissions()
seems a copy-paste fromlumberjack
.See pkg/logtools/fileperms.go in crowdsecurity/go-cs-lib:
Proposal
Proposal is to remove disabling of
lumberjack
's built-in behavior and thus to give admins option to change log file permissions if needed. I will submit a PR shortly.As an added-bonus 🏅, the whole logtools/fileperms.go in crowdsecurity/go-cs-lib could be removed if the change was implemented to the three other bouncers using the same function 😃
The text was updated successfully, but these errors were encountered: