Virtualmin xferlog security issue?

8 posts / 0 new
Last post
#1 Mon, 12/06/2010 - 20:14
helpmin

Virtualmin xferlog security issue?

Virtualmin installs proftpd 1.3.3 on Centos, right? The default settings for the log folder is /var/log/proftpd (750 root:root).

Unfortunately protfpd creates xferlog with permissions 644 in /var/log (root:root)

Virtualmin should ensure that this is rather 640, right?

Mon, 12/06/2010 - 20:33
andreychek

Howdy,

Yeah, 1.3.3c is the version provided by Virtualmin.

If the /var/log/proftpd directory is "750", the permissions of files inside that wouldn't matter, as no one would be able to get that far in order to view them.

That said -- I'll shoot Joe an email, and see if he can update the permissions to 640 for the sake of consistency :-)

-Eric

Mon, 12/06/2010 - 20:34
andreychek

Howdy,

Yeah, 1.3.3c is the version provided by Virtualmin.

If the /var/log/proftpd directory is "750", the permissions of files inside that wouldn't matter, as no one would be able to get that far in order to view them.

That said -- I'll shoot Joe an email, and see if he can update the permissions to 640 for the sake of consistency :-)

-Eric

Mon, 12/06/2010 - 21:01
helpmin

Sorry forgot to mention. It puts in /var/log otherwise it wouldn't have been a security of course.

So it is not about consistency :-)

Tue, 12/07/2010 - 04:58
Locutus

While we are at it: On Ubuntu 10.04, with ProFTPD 1.3.2c, the situation is slightly different (yet still potentially problematic).

The ProFTPD logs are put into /var/log/proftpd which is 755 (root:root). All the files inside that directory get 640 (root:root) except for the (currently just one) rotated transfer log xferlog.1 which is 644. Additionally, an empty file xferreport is 644.

I just triggered another log file rotation, now I have xferlog.1 which is now 640, and xferlog.2.gz which is 644.

Something is fishy there. World should not be able to read the rotated and compressed transfer logs.

Tue, 12/07/2010 - 08:35
andreychek

Well, we may only be able to do something about the CentOS issue, since Virtualmin provides that particular package (CentOS doesn't have as many packages available to it by default as our Ubuntu systems :-)

However, I don't see that particular problem you're describing on my Ubuntu 8.04 system. The logrotation looks like it's being handled in /etc/cron.monthly/proftpd, by the various "savelog" entries. Do you see anything unusual in the setup there?

-Eric

Tue, 12/07/2010 - 16:29
Locutus

Hmm, on Ubuntu 10.04 it's apparently done differently. Logrotate gets called through /etc/cron.daily/logrotate, and the config pertaining to the ProFTPD transfer log in /etc/logrotate.d/proftpd-basic looks like this:

/var/log/proftpd/xferlog /var/log/proftpd/xferreport { monthly missingok rotate 7 compress delaycompress notifempty create 640 root adm sharedscripts prerotate endscript postrotate # reload could be not sufficient for all logs, a restart is safer invoke-rc.d proftpd restart 2>/dev/null >/dev/null || true # run ftpstats on past transfer log ftpstats -a -r -l 2 -d -h -f /var/log/proftpd/xferlog.0 2>/dev/null >/var/log/proftpd/xferreport || true endscript }
Sun, 02/20/2011 - 15:30
katir Pro Licensee

CentOS: confirmed: all FTP users can read the xferlogs both new and compressed regardless of what restrictions you set under "limits and validation"