Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

munged: Error: Logfile is insecure: group-writable permissions set on "/var/log" #31

Closed
GoogleCodeExporter opened this Issue May 15, 2015 · 1 comment

Comments

Projects
None yet
2 participants
@GoogleCodeExporter
Copy link

GoogleCodeExporter commented May 15, 2015

What steps will reproduce the problem?

Start munged on Ubuntu 14.04 without use of the --force command-line option.

What is the expected output? What do you see instead?

munged should start with the default options. Instead, it fails and exits:

$ sudo service munge start
 * Starting MUNGE munged [fail]
munged: Error: Logfile is insecure: group-writable permissions set on "/var/log"

What version of the software are you using? On what operating system?

munge-0.5.11 on Ubuntu 14.04

Please provide any additional information below.

Ubuntu 14.04 changes the /var/log directory permissions from 0755 root:root to 0775 root:syslog. munged is warning of the group-writable permissions on /var/log.

Running munged with either the --force or --syslog command-line option will override this warning:

  • --force will override errors (turning them into warnings) for an existing local domain socket, a lack of entropy for the PRNG, and some potentially insecure file/directory permissions
  • --syslog will bypass the permission check on /var/log since log messages will instead be routed to the syslog service

These command-line options can be specified in the OPTIONS variable in /etc/default/munge:

OPTIONS="--force"

https://bugs.launchpad.net/ubuntu/+source/munge/+bug/1287624

Original issue reported on code.google.com by chris.m.dunlap on 29 May 2014 at 8:00

@dun dun added this to the 0.5.12 milestone Jun 4, 2015

@dun dun added bug and removed auto-migrated labels Jun 6, 2015

This was referenced Jun 6, 2015

@dun

This comment has been minimized.

Copy link
Owner

dun commented Aug 4, 2015

Ubuntu 15.04 switched to systemd. It does not use /etc/init.d/munge or /etc/default/munge. To specify command-line options for munged, perform the following steps:

  1. systemctl edit --system --full munge

    This command will perform the following actions:

    1. Copy munge.service to /etc/systemd/system/munge.service
    2. Invoke an editor on this new munge.service file
    3. Reload the systemd configuration afterwards

    While in the editor, append either --syslog or --force to the ExecStart line:

    ExecStart=/usr/sbin/munged --syslog
    

    If munge.service is instead manually edited, a systemctl daemon-reload will be necessary to reload the systemd configuration afterwards.

  2. systemctl enable munge

    This command will enable the service at boot.

  3. systemctl start munge

    This command will start the daemon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.